hxxp://www[.]reportlab[.]com/ftp/pfbfer-20180109[.]zip

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.reportlab.com/ftp/pfbfer-20180109.zip

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
1556	msedge.exe
1556	msedge.exe
3732	identity_helper.exe
3732	identity_helper.exe
4896	msedge.exe
4896	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
5232	OpenWith.exe
5368	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5512	OpenWith.exe
5600	AcroRd32.exe
5600	AcroRd32.exe
5600	AcroRd32.exe
5600	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3992	1556	msedge.exe	83
PID 1556 wrote to memory of 3992	1556	msedge.exe	83
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 1408	1556	msedge.exe	84
PID 1556 wrote to memory of 2368	1556	msedge.exe	85
PID 1556 wrote to memory of 2368	1556	msedge.exe	85
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86
PID 1556 wrote to memory of 1684	1556	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.reportlab.com/ftp/pfbfer-20180109.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8591c46f8,0x7ff8591c4708,0x7ff8591c4718
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14770564367514432431,16999009818707442096,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5512
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_pfbfer-20180109.zip\cob_____.pfb"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5600
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:5732
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BE2AEFD23F970E1A7601E9947AE6E81 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EC90F00B419395F0C89E6C55D830630F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EC90F00B419395F0C89E6C55D830630F --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:5900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=32B1F42F9CCFA5C5A22295B5418F54F0 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:6088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6969082F06562E2E09701740584C6373 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0233306ED366669ECAAABEB2BE998500 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
996d091e11d651472a155c8db12a3b6e

SHA1
3b7a191f28d45c917246844c81f9c9a636576bd9

SHA256
7b66df3b0ffc08838dc612530accfde2ec4c8dd1525acbbb1e931378549b660d

SHA512
61a6d1fb6a71e31130080fc1b4eeb296dbfb85fd82bb66ae236fde1225a767d83fb4aaec14867da41a630b8fa608178f0138081f07341b04f74112d2976cf308

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
582d03e49f866225227d96acae6611da

SHA1
9ee948c038ac23f257017c7026bd54001b7e1617

SHA256
7f91b39bf7ce515d048046e74ea68c506f3f814b898a5d5125b46a28f18b6e5c

SHA512
e0dc83cd2cbbb0889605b4a8641084f95397527bf905a6318e16c1003d8dea596d85b6a01fc578e0438b63d9e87aaee50f64a6e6b61001da9a5da15d18ddc28d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\57fc8832-bf26-41bf-8934-0fd40e383af8.tmp

Filesize
11KB

MD5
b5b5364711c962ebe580016d0d4c845f

SHA1
47040e94f913d2ad65aa61a7e36c95e7755cd739

SHA256
2674cd1cb3a0ee7bdded5ab81923e5e7733b40ea78b2e8c85f66ad3c8a4e09f9

SHA512
2dfd070f8b7dbf7b1a673d5366344f2f6543dcae582e9d8d0b521e335b54ae99a25e5a2b0e0b905fea06bea903d320b358db712d9feb1c75786d3f75bdbe40c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
424b2d22fbd56ea05ad14e0bd1930b85

SHA1
f031387c93ba1cf720d62ea3928b8e433036f0d6

SHA256
8ac74004972af450d655e9facb4d7ac27ffe814f3fb79458a56fd72ae89f2336

SHA512
b1bc23440ee30c95584e68fb0de0bc819d359fc9393ce4c6c85107169e60a9c520860ce11cbf246a1ac18c0c4389f7eb2f2692f8b4fead0b7739880753f785f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
062ce29ad568aa660e5d0743ef8e00ea

SHA1
5c42390a862ad0b896eeab78bfee03696884c2ab

SHA256
afb0e57a74ae03b49a1c7b786e24eea39d0e40bfbf4be84352043d8db29f50af

SHA512
6719cd7873b11362ce9d70add3c0ee980bbebff72a337aabeca88b35734b57e2de1d364d59f8c809a32f130da4bf7ffdb722034bda2cdb2419bfd79f52c4add3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\Downloads\pfbfer-20180109.zip

Filesize
720KB

MD5
27e977197a24961a55b54c490b80cfb9

SHA1
93b660d08b5a1029f3b5e41a9b8bef77a7d715e4

SHA256
851b431550e866b217317d09dd33b5535ae081200975ad4dd25e80be2af10fec

SHA512
47be62ce173ff3c28580369d30f7dfcf30cbb6c5f3b3f1d36e9427dac1ffe51221af125979a3f0ed1c5ee35b2df77377351cfde50cf93e459d3c299dda210a19

Download Submit