Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 10:07
Behavioral task
behavioral1
Sample
c11542f7e88f1fb5daf4fe632a740ad7ed729f5fad075148ab80f616664bfef6.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c11542f7e88f1fb5daf4fe632a740ad7ed729f5fad075148ab80f616664bfef6.pdf
Resource
win10v2004-20220414-en
General
-
Target
c11542f7e88f1fb5daf4fe632a740ad7ed729f5fad075148ab80f616664bfef6.pdf
-
Size
30KB
-
MD5
d4b7e6305940220205ac14fe62823516
-
SHA1
ab016e3bd926ea7b439c14e04a8fde195b401382
-
SHA256
c11542f7e88f1fb5daf4fe632a740ad7ed729f5fad075148ab80f616664bfef6
-
SHA512
5a8c7c97efa07a54b02492c70353c4f1fddf8067714f5da0ffa7f42ceca2ed12374013d224d6e43fee70d340718afead0beb274dd7501319c1e3c671c2c33f57
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0e9e830d-7d91-427a-91f0-a309d6fddbe9.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220512100825.pma setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5504 460 WerFault.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{D62EFE73-0208-4179-8FA7-F314527B5B8E} msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
AcroRd32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeAdobeARM.exepid process 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 3608 msedge.exe 3608 msedge.exe 1096 msedge.exe 1096 msedge.exe 5288 msedge.exe 5288 msedge.exe 5392 identity_helper.exe 5392 identity_helper.exe 4436 AdobeARM.exe 4436 AdobeARM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AcroRd32.exemsedge.exepid process 4628 AcroRd32.exe 1096 msedge.exe 1096 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4628 AcroRd32.exe 4436 AdobeARM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4628 wrote to memory of 2588 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 2588 4628 AcroRd32.exe RdrCEF.exe PID 4628 wrote to memory of 2588 4628 AcroRd32.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 1560 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe PID 2588 wrote to memory of 4752 2588 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\c11542f7e88f1fb5daf4fe632a740ad7ed729f5fad075148ab80f616664bfef6.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7F147D1C67C273DEBE9634089000DF22 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3CA5E6F835B23DD663ED971BFBBEFC52 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3CA5E6F835B23DD663ED971BFBBEFC52 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B366AA073972758B3D6E59BE2FF38E1 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F75099598C42C458736D22F8E180493C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F75099598C42C458736D22F8E180493C --renderer-client-id=5 --mojo-platform-channel-handle=1884 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=68FD2F41B45753105F9498BBC0522458 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1541669B39A9C57B6CDF630E796EA06D --mojo-platform-channel-handle=2200 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://taxfile.mediafire.com/file/z39lxqg942csz0c/Confirmation-3381633.ppam/file2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a8346f8,0x7ffb6a834708,0x7ffb6a8347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5464 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5456 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3984 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff647f85460,0x7ff647f85470,0x7ff647f854804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2064,934924710307253560,13636448647239647689,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:83⤵
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 460 -ip 4601⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 460 -s 21081⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
471B
MD51f30a78273194a3094a8e20a8a5c30e1
SHA1edeb265c02ee0d866a805eb632834c64be48cdff
SHA256d518a4c2b0b134cabf1984b0e5bb5439c691c3b90331d80e47e295cac8bab06e
SHA512f25fff7aff1a5cb150f4f2f57e63281c452baa43b7e7d0dce9140d7bd7cd5529e42d9f319ebc47bfb6b8b2d6b4db0bf7c24e3ef6523f70e01c10e8a28c713d9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6Filesize
434B
MD5f87be22776c53b4b1f5c17b0f34ad1ce
SHA1516ba93186cef2bce0356ccfd6a775858742be89
SHA256f7cd92c8bf2264d3462bbca877382002044169ae01ce6be6cd4031b29c790fef
SHA512005d061e63382cc006780f20dc969027e8c71861c7a6118671ac26821b7697633a8b7560d582e07137ac27394a332936dedbf91ac83fd2a1f6b51d2134a856f0
-
\??\pipe\LOCAL\crashpad_1096_XUNAXGAOHHVOXWRIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/408-140-0x0000000000000000-mapping.dmp
-
memory/428-162-0x0000000000000000-mapping.dmp
-
memory/1096-153-0x0000000000000000-mapping.dmp
-
memory/1264-168-0x0000000000000000-mapping.dmp
-
memory/1560-132-0x0000000000000000-mapping.dmp
-
memory/1700-159-0x0000000000000000-mapping.dmp
-
memory/2400-143-0x0000000000000000-mapping.dmp
-
memory/2588-130-0x0000000000000000-mapping.dmp
-
memory/2632-151-0x0000000000000000-mapping.dmp
-
memory/2660-156-0x0000000000000000-mapping.dmp
-
memory/3112-154-0x0000000000000000-mapping.dmp
-
memory/3608-157-0x0000000000000000-mapping.dmp
-
memory/3720-166-0x0000000000000000-mapping.dmp
-
memory/4436-167-0x0000000000000000-mapping.dmp
-
memory/4476-164-0x0000000000000000-mapping.dmp
-
memory/4752-135-0x0000000000000000-mapping.dmp
-
memory/5008-148-0x0000000000000000-mapping.dmp
-
memory/5248-170-0x0000000000000000-mapping.dmp
-
memory/5268-172-0x0000000000000000-mapping.dmp
-
memory/5288-173-0x0000000000000000-mapping.dmp
-
memory/5300-175-0x0000000000000000-mapping.dmp
-
memory/5392-186-0x0000000000000000-mapping.dmp
-
memory/5448-184-0x0000000000000000-mapping.dmp
-
memory/5468-188-0x0000000000000000-mapping.dmp
-
memory/5516-185-0x0000000000000000-mapping.dmp
-
memory/5900-177-0x0000000000000000-mapping.dmp
-
memory/5960-179-0x0000000000000000-mapping.dmp
-
memory/5976-181-0x0000000000000000-mapping.dmp
-
memory/6052-190-0x0000000000000000-mapping.dmp