Overview

overview

6

Static

static

3

TT copy (3).pdf

windows7_x64

1

TT copy (3).pdf

windows10-2004_x64

6

Resubmissions

08-04-2022 08:16

220408-j6ez3sffgr 3

07-04-2022 11:36

220407-nqzf1afeb8 6

07-04-2022 11:31

220407-nm4asacchn 3

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    07-04-2022 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT copy (3).pdf

  • Size

    84KB

  • MD5

    29cee601ffd40bcbdded7b6b1ecb59c5

  • SHA1

    57551f4ba5b1da74f4d1890fe1ec25b4046e8d96

  • SHA256

    ec2917bf44eeb0bed1da25d1c37e7051f8b00916cb4606e7dad01a8fef691ee4

  • SHA512

    8b6b77627f6b13eeaeb058640628c2583847dece5f565da9d1aea2c54210ea655d68aaa20fc44ea44ac17b1ba46fd73ffb84cbc157af28f9d025f82b75ae73c1

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT copy (3).pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84052A6AD70ABBB895F46EFE3245F266 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:32
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B8789043D0D5863280F197B66404F5F7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B8789043D0D5863280F197B66404F5F7 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:208
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=233354DAA414ECBE4AAFBE8B00729A0A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=233354DAA414ECBE4AAFBE8B00729A0A --renderer-client-id=4 --mojo-platform-channel-handle=2164 --allow-no-sandbox-job /prefetch:1
            3⤵
              PID:3140
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A133BA5535E15D0E772157B9588CFC01 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:3540
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3738A1CD97B866D40BB6B2524A824A8D --mojo-platform-channel-handle=2684 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:1140
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4B9D70B92AFDFAB2EF246064F7BDB71 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  3⤵
                    PID:4908
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                  2⤵
                    PID:3112
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/958958106811977752/961145090439512094/tt-copy.rar
                    2⤵
                    • Adds Run key to start application
                    • Enumerates system info in registry
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of WriteProcessMemory
                    PID:4612
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a11946f8,0x7ff8a1194708,0x7ff8a1194718
                      3⤵
                        PID:4648
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
                        3⤵
                          PID:1852
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3576
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
                          3⤵
                            PID:3688
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
                            3⤵
                              PID:1772
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
                              3⤵
                                PID:4344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
                                3⤵
                                  PID:3236
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
                                  3⤵
                                    PID:3152
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
                                    3⤵
                                      PID:4620
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 /prefetch:8
                                      3⤵
                                        PID:2184
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6220 /prefetch:8
                                        3⤵
                                          PID:4156
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3728 /prefetch:8
                                          3⤵
                                            PID:4824
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
                                            3⤵
                                              PID:1604
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 /prefetch:8
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4672
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:3148
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
                                              3⤵
                                                PID:3148
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                                                3⤵
                                                • Drops file in Program Files directory
                                                PID:1420
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6d27f5460,0x7ff6d27f5470,0x7ff6d27f5480
                                                  4⤵
                                                    PID:5176
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
                                                  3⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5412
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6604 /prefetch:2
                                                  3⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:5528
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,6337289070323333756,44735679116746658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:8
                                                  3⤵
                                                    PID:1920
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/958958106811977752/961145090439512094/tt-copy.rar
                                                  2⤵
                                                    PID:220
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a11946f8,0x7ff8a1194708,0x7ff8a1194718
                                                      3⤵
                                                        PID:2356
                                                    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                                                      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
                                                      2⤵
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1860
                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
                                                        3⤵
                                                          PID:4348
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:4348
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                        1⤵
                                                          PID:5252
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1588
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4604
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2440
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5208
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5088
                                                        • C:\Windows\system32\OpenWith.exe
                                                          C:\Windows\system32\OpenWith.exe -Embedding
                                                          1⤵
                                                          • Modifies registry class
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:5504

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
                                                          Filesize

                                                          471B

                                                          MD5

                                                          040801c3c7a1d7fcaf375e86ec6d66d8

                                                          SHA1

                                                          df817e1fafaa8f1f24a0cfdb566811cc38c12b15

                                                          SHA256

                                                          f13ad12d1c4a317f523bdcdfd8799058defe754e50aeda2bfd8bf7cb686d0d8a

                                                          SHA512

                                                          9f3dc51899fbecece4041c54b0ff88d5f03f161645e881080c3f81cbd8fff07ccd2294396cf0cf402a4c17c3ec347abd1a42d92bcbea8bfa19e267e8d4750631

                                                          Download Submit
                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
                                                          Filesize

                                                          434B

                                                          MD5

                                                          e0da35c19d5d16bc756a821c114b2661

                                                          SHA1

                                                          06de7beaf90d8baa2a9a48e69f4d6110070b21dd

                                                          SHA256

                                                          b4831f5a4150ced8a46c5f65cf543eba41cb4864f9eefd1f55c7436a97e84be8

                                                          SHA512

                                                          1537a20284b8a58d5ba449ebe4c086f1d5aecef1c4b7456ec8edeb936f39598693bb55306e86addeaa242df54391b893494e30d603dcc6936bfe973730e27595

                                                          Download Submit
                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                          Filesize

                                                          152B

                                                          MD5

                                                          7c709b14135a1c77814a526a2b460a97

                                                          SHA1

                                                          547bd68514a32a612c7c98e5324a35ea5b39d7a2

                                                          SHA256

                                                          ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4

                                                          SHA512

                                                          baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4

                                                          Download Submit
                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                          Filesize

                                                          152B

                                                          MD5

                                                          99e5dfeaf31981eb1b05a78f7ebf588c

                                                          SHA1

                                                          d325e91325d838df555b7546059cafe1251c6ae1

                                                          SHA256

                                                          4a42d1322fc968609a912cc94bcc07b715e3d954d89942db47d4832b0d6a8e0a

                                                          SHA512

                                                          f8d20de3b3a788545f9ebb41e90c5985d6f537996b09497606ea674f0b111d094b9956851826be2606c5cd4fc364fff0aeb7d4361e58c4e8717245ddc8749707

                                                          Download Submit
                                                        • \??\pipe\LOCAL\crashpad_4612_DMUARKFPPEQNORGK
                                                          MD5

                                                          d41d8cd98f00b204e9800998ecf8427e

                                                          SHA1

                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                          SHA256

                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                          SHA512

                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          Download Submit
                                                        • memory/32-129-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/208-132-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/220-164-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1140-145-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1420-195-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1604-189-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1772-159-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1852-151-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1852-153-0x00007FF8BD340000-0x00007FF8BD341000-memory.dmp
                                                          Filesize

                                                          4KB

                                                          Download
                                                        • memory/1860-171-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/1920-200-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/2184-180-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/2356-165-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3112-125-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3140-137-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3148-192-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3152-173-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3236-168-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3540-142-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3576-152-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/3688-155-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4156-183-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4268-124-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4344-162-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4348-178-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4612-126-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4620-176-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4648-127-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4672-191-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4824-186-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/4908-148-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/5176-196-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/5412-197-0x0000000000000000-mapping.dmp
                                                          Download
                                                        • memory/5528-198-0x0000000000000000-mapping.dmp
                                                          Download