Analysis
-
max time kernel
59s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
11-04-2022 14:06
Behavioral task
behavioral1
Sample
8472 FACTURA VENCIDA.pdf
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
8472 FACTURA VENCIDA.pdf
Resource
win10v2004-20220331-en
General
-
Target
8472 FACTURA VENCIDA.pdf
-
Size
50KB
-
MD5
0233481f9b41ca24ccd800c8aedb08f6
-
SHA1
80945e31146553c0bae85cd9e79784d5e714861a
-
SHA256
249ec1b071699e9d72a4249a3ffa89b8f6591d0f21159a541587c3ceab82b5c5
-
SHA512
d3abc2a0ba24cbe62300bfa4e5daef6483b2975475a3d08b597b4b242d3169dfa000dc9321c81cc6eb1e6cf687a75efa78788932b6e5fd0ca7edac64ae290d77
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9738461f-0f41-43f1-ab02-f797e20c91e7.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220411160738.pma setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5848 3044 WerFault.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exeAcroRd32.exeidentity_helper.exepid process 1604 msedge.exe 1604 msedge.exe 440 msedge.exe 440 msedge.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 5628 identity_helper.exe 5628 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
AcroRd32.exemsedge.exepid process 4108 AcroRd32.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 4108 AcroRd32.exe 5980 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4108 wrote to memory of 3276 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 3276 4108 AcroRd32.exe RdrCEF.exe PID 4108 wrote to memory of 3276 4108 AcroRd32.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 212 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe PID 3276 wrote to memory of 224 3276 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8472 FACTURA VENCIDA.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CD2950F71EEB0EE2120C54A3346AAAE --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E8F386E9CE835B883941FEBABF84BB2E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E8F386E9CE835B883941FEBABF84BB2E --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=89234C04CE0F78546DB5B56399CE72ED --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E504BC2763BEEA5E56368CF89683D140 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E504BC2763BEEA5E56368CF89683D140 --renderer-client-id=5 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68D4069C97294F1D4922FA56B696A25C --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B6FC27C484BF9554E655F1DF89D587D --mojo-platform-channel-handle=2776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/ekpc_fact_uravencida112⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff96ee746f8,0x7ff96ee74708,0x7ff96ee747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff698495460,0x7ff698495470,0x7ff6984954804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1342194889295025194,2568054918553135163,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/ekpc_fact_uravencida112⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7ff96ee746f8,0x7ff96ee74708,0x7ff96ee747181⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3044 -ip 30441⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3044 -s 19521⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
471B
MD585519564c90bdf2fcb01aeab21cbe839
SHA1d880977f6e92ef4f4bfa6224b3cc04f638e79e25
SHA256948226b48cd40054b13b682cc9515ab03ad5acb539c4fb2c55cca24843ff5839
SHA512549727af44f1046242c945cdc71dfb4e1c18914ca631d1e60798ccac8243ef6d2622dd33b0fc89e3dde82b27e7ab1f1616e6e2e77ac7091c5decf9ce4450fcab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
434B
MD5a598eaaa6ac4e0ee773c9ebe977a8944
SHA124354203025fd9cd5f3e2cbc7be95425ac00eaa9
SHA256402a04b09734a8dd7be0f81ba22153147f36a0826689f148820206db23ee9f36
SHA51239697599222391fcb5303069fc32722ebbbcb6eda5b5043b27948b0158a2d48fcc1067b9bb1303f2993acdecffbbbff36b264cc7910ecaf46ccbd938cd44747e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c709b14135a1c77814a526a2b460a97
SHA1547bd68514a32a612c7c98e5324a35ea5b39d7a2
SHA256ef9d2108ad41aa1480db4b633bcf66c964b5d8d8aab6f3372143242affd948d4
SHA512baeb04f10ec0383f15ed5cfdf3242b69cbe3f166872012e5b85e83ca95e276623f62a923accc615394fd4058abe61809645f2cdaa0fafee099962a04541021c4
-
\??\pipe\LOCAL\crashpad_440_VPUVNRFZLWBESCIEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/212-126-0x0000000000000000-mapping.dmp
-
memory/224-129-0x0000000000000000-mapping.dmp
-
memory/428-174-0x0000000000000000-mapping.dmp
-
memory/440-147-0x0000000000000000-mapping.dmp
-
memory/1104-156-0x0000000000000000-mapping.dmp
-
memory/1456-165-0x0000000000000000-mapping.dmp
-
memory/1604-152-0x0000000000000000-mapping.dmp
-
memory/1660-148-0x0000000000000000-mapping.dmp
-
memory/2360-151-0x00007FF98DA30000-0x00007FF98DA31000-memory.dmpFilesize
4KB
-
memory/2360-150-0x0000000000000000-mapping.dmp
-
memory/2408-154-0x0000000000000000-mapping.dmp
-
memory/2464-137-0x0000000000000000-mapping.dmp
-
memory/3016-162-0x0000000000000000-mapping.dmp
-
memory/3140-145-0x0000000000000000-mapping.dmp
-
memory/3216-171-0x0000000000000000-mapping.dmp
-
memory/3276-124-0x0000000000000000-mapping.dmp
-
memory/3312-157-0x0000000000000000-mapping.dmp
-
memory/3616-134-0x0000000000000000-mapping.dmp
-
memory/4732-190-0x0000000000000000-mapping.dmp
-
memory/4892-142-0x0000000000000000-mapping.dmp
-
memory/4944-168-0x0000000000000000-mapping.dmp
-
memory/5144-177-0x0000000000000000-mapping.dmp
-
memory/5160-180-0x0000000000000000-mapping.dmp
-
memory/5320-182-0x0000000000000000-mapping.dmp
-
memory/5372-183-0x0000000000000000-mapping.dmp
-
memory/5628-184-0x0000000000000000-mapping.dmp
-
memory/5980-187-0x0000000000000000-mapping.dmp
-
memory/6088-188-0x0000000000000000-mapping.dmp