umbral | c00313aabcfd55989bbd839a80dcdd52fe4f08911bba68a5f9acfcc463cf8602

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref-Quotation.pdf
Size

7KB
MD5

3afee0850cb4ac806103dd7029c99dec
SHA1

81db120f09c5ee62d785ea7fc76d2065362d8d3c
SHA256

c00313aabcfd55989bbd839a80dcdd52fe4f08911bba68a5f9acfcc463cf8602
SHA512

a410572f6aec8153fc5a6f5744ea9064d9730d6c6258a4ac5f244840105afb15fc726e0b9d4b0d28084aeb2dfceceff249b25bcd5b15f846fcc08e6a1004a502
SSDEEP

96:YEcrIq5gt/vsHuMp18EtTkYVkZmsJSJlkOCKeLDkaITVIcxe4vnWcrV:2Iq5OvsppmEJl2rAZoDkj7nTV

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023561-330.dat	family_umbral
behavioral2/memory/6008-338-0x0000020707FD0000-0x000002070800C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5248	powershell.exe
1512	powershell.exe
5240	powershell.exe
5076	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Ref-Quotation‮‮‮pdf.scr

Executes dropped EXE 2 IoCs

pid	Process
5880	Ref-Quotation‮‮‮pdf.scr
6008	Referer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	discord.com
70	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ref-Quotation‮‮‮pdf.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5248	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	Ref-Quotation‮‮‮pdf.scr

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5320	ONENOTE.EXE
5320	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2304	msedge.exe
2304	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
3188	identity_helper.exe
3188	identity_helper.exe
3640	msedge.exe
3640	msedge.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
5316	powershell.exe
5316	powershell.exe
5316	powershell.exe
5240	powershell.exe
5240	powershell.exe
5240	powershell.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe
5840	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6008	Referer.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	5316	powershell.exe
Token: SeIncreaseQuotaPrivilege	5288	wmic.exe
Token: SeSecurityPrivilege	5288	wmic.exe
Token: SeTakeOwnershipPrivilege	5288	wmic.exe
Token: SeLoadDriverPrivilege	5288	wmic.exe
Token: SeSystemProfilePrivilege	5288	wmic.exe
Token: SeSystemtimePrivilege	5288	wmic.exe
Token: SeProfSingleProcessPrivilege	5288	wmic.exe
Token: SeIncBasePriorityPrivilege	5288	wmic.exe
Token: SeCreatePagefilePrivilege	5288	wmic.exe
Token: SeBackupPrivilege	5288	wmic.exe
Token: SeRestorePrivilege	5288	wmic.exe
Token: SeShutdownPrivilege	5288	wmic.exe
Token: SeDebugPrivilege	5288	wmic.exe
Token: SeSystemEnvironmentPrivilege	5288	wmic.exe
Token: SeRemoteShutdownPrivilege	5288	wmic.exe
Token: SeUndockPrivilege	5288	wmic.exe
Token: SeManageVolumePrivilege	5288	wmic.exe
Token: 33	5288	wmic.exe
Token: 34	5288	wmic.exe
Token: 35	5288	wmic.exe
Token: 36	5288	wmic.exe
Token: SeIncreaseQuotaPrivilege	5288	wmic.exe
Token: SeSecurityPrivilege	5288	wmic.exe
Token: SeTakeOwnershipPrivilege	5288	wmic.exe
Token: SeLoadDriverPrivilege	5288	wmic.exe
Token: SeSystemProfilePrivilege	5288	wmic.exe
Token: SeSystemtimePrivilege	5288	wmic.exe
Token: SeProfSingleProcessPrivilege	5288	wmic.exe
Token: SeIncBasePriorityPrivilege	5288	wmic.exe
Token: SeCreatePagefilePrivilege	5288	wmic.exe
Token: SeBackupPrivilege	5288	wmic.exe
Token: SeRestorePrivilege	5288	wmic.exe
Token: SeShutdownPrivilege	5288	wmic.exe
Token: SeDebugPrivilege	5288	wmic.exe
Token: SeSystemEnvironmentPrivilege	5288	wmic.exe
Token: SeRemoteShutdownPrivilege	5288	wmic.exe
Token: SeUndockPrivilege	5288	wmic.exe
Token: SeManageVolumePrivilege	5288	wmic.exe
Token: 33	5288	wmic.exe
Token: 34	5288	wmic.exe
Token: 35	5288	wmic.exe
Token: 36	5288	wmic.exe
Token: SeIncreaseQuotaPrivilege	5180	wmic.exe
Token: SeSecurityPrivilege	5180	wmic.exe
Token: SeTakeOwnershipPrivilege	5180	wmic.exe
Token: SeLoadDriverPrivilege	5180	wmic.exe
Token: SeSystemProfilePrivilege	5180	wmic.exe
Token: SeSystemtimePrivilege	5180	wmic.exe
Token: SeProfSingleProcessPrivilege	5180	wmic.exe
Token: SeIncBasePriorityPrivilege	5180	wmic.exe
Token: SeCreatePagefilePrivilege	5180	wmic.exe
Token: SeBackupPrivilege	5180	wmic.exe
Token: SeRestorePrivilege	5180	wmic.exe
Token: SeShutdownPrivilege	5180	wmic.exe
Token: SeDebugPrivilege	5180	wmic.exe
Token: SeSystemEnvironmentPrivilege	5180	wmic.exe
Token: SeRemoteShutdownPrivilege	5180	wmic.exe
Token: SeUndockPrivilege	5180	wmic.exe
Token: SeManageVolumePrivilege	5180	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4980	AcroRd32.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
4980	AcroRd32.exe
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5320	ONENOTE.EXE
5976	AcroRd32.exe
4980	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4408	4980	AcroRd32.exe	86
PID 4980 wrote to memory of 4408	4980	AcroRd32.exe	86
PID 4408 wrote to memory of 5108	4408	msedge.exe	87
PID 4408 wrote to memory of 5108	4408	msedge.exe	87
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 60	4408	msedge.exe	88
PID 4408 wrote to memory of 2304	4408	msedge.exe	89
PID 4408 wrote to memory of 2304	4408	msedge.exe	89
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90
PID 4408 wrote to memory of 4508	4408	msedge.exe	90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ref-Quotation.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dl.discreetshare.com/66b1cfd7a56532fd22035649
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffddfce46f8,0x7ffddfce4708,0x7ffddfce4718
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
    3⤵
    PID:2608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
    3⤵
    PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5564 /prefetch:8
    3⤵
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
    3⤵
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\Downloads\Quotation.one"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5320
  - - C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{CACD4EBF-7473-4236-840B-C169BA761249}\NT\0\Ref-Quotation‮‮‮pdf.scr
      "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{CACD4EBF-7473-4236-840B-C169BA761249}\NT\0\Ref-Quotation‮‮‮pdf.scr" /S
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5880
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Appliances.pdf"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:5976
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Referer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Referer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Referer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5316
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5240
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14951580702286973671,7492535504473395090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1312 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5840
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=580F4099A9584833F2229ABE3D5D7825 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1172
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5FE7B06256EFCCB32C8937CB6FC2AC14 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5FE7B06256EFCCB32C8937CB6FC2AC14 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C4910807FE3C0C6204E25F54A4743156 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=107A2CF98C5E72821D5B4BD2B4EDDCF9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=107A2CF98C5E72821D5B4BD2B4EDDCF9 --renderer-client-id=5 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F30C8BCF3D7DB86F664A5A58A309652A --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5284
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8659FB70D544D5FA26C7725809A91394 --mojo-platform-channel-handle=2724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5396
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AAE448EF71FAA1B00F216A4CADCA5539 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AAE448EF71FAA1B00F216A4CADCA5539 --renderer-client-id=10 --mojo-platform-channel-handle=2728 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
192557a96f5f69884defb74c02413523

SHA1
bd6a0d437ec359573ddbcd9a65777b7adda0306c

SHA256
c004fdfa44c44c4a925e0592dcec30a103cd5e17445b2b1f211d6e3b9a5d3d37

SHA512
767d4ca6e8ef9e3762cd8cf8d2869c30541013d1f8d3276d9b6535efa6a1777ff687d15577314e4ca28a64279212a32d2dbe1990fed5c76bebdc45f34b3c98de

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
969044cfa8436f20316d5927c9c337cd

SHA1
f1aecb54c24e20435c03d7917b735380af7362d5

SHA256
058b514bd4ef3d37b17783a87c3e4964b0255a6eba8ffaa9221ba2fdc40682a5

SHA512
0e6569b0e8078b0427e7e8e7c3d4d90f007b26a3e19022d5e26fd250573bbcfd236f45ca461a015bc274efc1c67f2c9f4c861e65796736cf4a36c69b5ae44cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cdd156805bbe2350b14aaee6789aa3f

SHA1
33f611e8a27642612d3c20cd721f5b2f3823e346

SHA256
2f123c2b7ef654b330262b9de7469b9f8928f2bcbd0f60e0b4c8e013020d19fd

SHA512
ded897f96703c250add9c26d53d5abc5b42d0521f5ee6a13691a7743306e184bfec52f0252f205ce9ef34f6bc28316aae47d54dc9981013360336ed1f2b92897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a86168364b64060b7983ba502a182da

SHA1
b41a4321220f0f3e3d83c2ef6d48db0044f159f4

SHA256
f62c24f44466e2746cae46b700039eac365135dd8f1ef1647c46f13993ae9b5c

SHA512
c20af46c2360839185936af7ded6c03f1b436e12775d5343425820ec808c90fa9d056d712ed8f29092516ec69ce551a7e53da56b5a4d74ad3ffb7da248c4a771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3db4a52a51696ea1a6ff0c16f04d2858

SHA1
cfd1870fa64701b8de2e64addf609123be8cd00b

SHA256
fbf7c4b854210f4d9f63ef38a4dafb179734bce24c39593c03023126f7347486

SHA512
80a949920fa4ea29d407b323ac212e313326ebf1a5a1287d5e19034e8f418efcecaf31520ca171bd7a9a6fcd85fc4ba64fd4444d832cef310a6b2af6c1a46469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
636a2870b773095bc9c2948b3f695bf2

SHA1
aa2e2d1ddc5247ab6529ccffef5ee78105c3d5cf

SHA256
43b3bbcda92b1a449b7104c31d17b3e6de65db4a68732c74937e3df80fd2ffe2

SHA512
4b9c0e1d6dea76c8c8fc3273fae0983235dede966e37bf7910d459a513938892fcfa128bc5f49f194d003734540e7dbb33dcb949ae133a09e6ae5aafd04472b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ad27b676128e7e83b587e0a5edf7d80

SHA1
4bf65f2e754439c33dffc6d3bccd6792e8159c73

SHA256
c47d0dbc7e2ed7a4776e7661ca70c59e27edb58b2cd1d9a4d08c0b58b8d6c717

SHA512
3a0422eaea71539be62eb811a32a9af3b735660c78acddc1baedc7b5dc6376921c2269e547a4ab6b9ab8b4d21a6dcff420feeb44a5734f5cb2487f860b57e0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
596B

MD5
cc6b1032593d7f9e836fe89bcd6947a9

SHA1
090a31e2f84ca231a40dd47ac9546a27536dd557

SHA256
9031272e24d0f68100ec856f8638e3602205f9f441737442a6de919b931d9f89

SHA512
484e86c94366c13861e7abc06f24f316ddb9e4d25597776294809b58410c0b1062410591fab1c41e12eec0ce56224b83a602a704ffb137b1ab4ff59326a9624a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BN.bin

Filesize
479KB

MD5
770829780d5b9e4507d4de728eb651ee

SHA1
75bb8baaa4f1e10b574f0dd43a78d0a330554b80

SHA256
fcc458b8823493b20d39bebd3042ebfd9c175b919c4197995333ca3e1287341a

SHA512
b28d7d7b00640cabec04459e6878abb6a9f347b0261b3e7f9a0c34604ca1e78474586131d774159ea25d22e3fa2720186557ea107f57745c12725ccfb19e785a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
168KB

MD5
92878630a4c012edb095d1ab7513c055

SHA1
ee4be133f2ee7be98793b02dcdcf4fdaa07b8f65

SHA256
85bb11aee7e3181c5d5a0752101480b0b146dea99d0ca9e2a87a3349e4b8f5b3

SHA512
65f54b889f126b231414b0cdbbd64090a5342889bc75910c92ac8b72487bfca0ffe9808e2836fcd173aee34d6dafe8820471a20221c4c789a728a2d128adc412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
ca6f6f9b77124a200d0eeaaed98d369f

SHA1
2822b3b9c0b306c6e24a447b3e11bd6bb66e5c06

SHA256
2971c4e0633fd682570d0880df614d72c03acff4837a5edf1202ce523e71001e

SHA512
894cbc18228c41c59c5e26becd3ba252fac6c64ab971ef34a3a765a9b22edde1c383cccf1406d20046e9b3e82eb82c3cff93eaf3dfa70507dc37263664d864ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca58d1913d3261f116a299095e04f734

SHA1
941d13d0c8c65adb6513f23991acfa0d62facdea

SHA256
755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69

SHA512
87b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Appliances.pdf

Filesize
129KB

MD5
78d3524e3218a34638d5aa821e194f3b

SHA1
4e70a7972c9f2a94605c639227296ec5fbc9f5b5

SHA256
fd7ce51478d74c5d6d37c36ecb98fdfd03f0370dce606d89412111393c6aee03

SHA512
b18b6c599b60889a395f8807fb19e8f3fc2b109b62acc6f1ec11df97e2b1e23441d5e5353b921f4f5047ea22c1f553eab09b304035a79169b463fe0bc5bba6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Referer.exe

Filesize
214KB

MD5
a23841ed39cc3b09d4e731a80e2d70a6

SHA1
89f95246610063d67db46554f9d4ac61b8c45e02

SHA256
e1663465701c284caff2ef4acd4649efb4aae0b9d935da69766dca2c019bcd0f

SHA512
1a6c9478beccf81c1371bb59a7c7854d7f19481747705419e5816e42271b526469c74e06b66910514cc5385a69819cc86016ede8b0ccd970976ac59d52afffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsssq4rr.30x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Quotation.one

Filesize
700KB

MD5
1c27cd78c2199cd25a6aad7aeecc77b4

SHA1
893731991af6f1179646cc8e4467d6f5139149ee

SHA256
94db6f806c5781cc88deb4b8e77f1a870a957fafd81de0401ba92fa1c4a8df3b

SHA512
0aa33229b840e7f47b322e88a3df8f6206d6cdb2d8bbc7ad9b8445a33d7c6965b688e48c789d648be6126c968ed9e430d2cc23eeee6c4717a38fddd79ca6075f

Download Submit
memory/5076-361-0x00000290701A0000-0x00000290701C2000-memory.dmp

Filesize
136KB

Download
memory/5320-197-0x00007FFDBDC10000-0x00007FFDBDC20000-memory.dmp

Filesize
64KB

Download
memory/5320-195-0x00007FFDBDC10000-0x00007FFDBDC20000-memory.dmp

Filesize
64KB

Download
memory/5320-200-0x00007FFDBB9F0000-0x00007FFDBBA00000-memory.dmp

Filesize
64KB

Download
memory/5320-196-0x00007FFDBDC10000-0x00007FFDBDC20000-memory.dmp

Filesize
64KB

Download
memory/5320-198-0x00007FFDBDC10000-0x00007FFDBDC20000-memory.dmp

Filesize
64KB

Download
memory/5320-199-0x00007FFDBDC10000-0x00007FFDBDC20000-memory.dmp

Filesize
64KB

Download
memory/5320-201-0x00007FFDBB9F0000-0x00007FFDBBA00000-memory.dmp

Filesize
64KB

Download
memory/6008-338-0x0000020707FD0000-0x000002070800C000-memory.dmp

Filesize
240KB

Download
memory/6008-378-0x0000020722790000-0x0000020722806000-memory.dmp

Filesize
472KB

Download
memory/6008-379-0x0000020709DC0000-0x0000020709E10000-memory.dmp

Filesize
320KB

Download
memory/6008-381-0x00000207084A0000-0x00000207084BE000-memory.dmp

Filesize
120KB

Download
memory/6008-429-0x00000207084E0000-0x00000207084EA000-memory.dmp

Filesize
40KB

Download
memory/6008-430-0x0000020709E30000-0x0000020709E42000-memory.dmp

Filesize
72KB

Download