Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 14:10
Behavioral task
behavioral1
Sample
attachment-2.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
attachment-2.pdf
Resource
win10v2004-20220812-en
General
-
Target
attachment-2.pdf
-
Size
9KB
-
MD5
c611ea6ab0862ec7527dccfaad5133aa
-
SHA1
d27c2c7fc427809e5ef7c8a6ec03d02810721049
-
SHA256
efc14055117633a34851cc7c891515d4f5970e72a01d9de750d6034cbd6d2a7b
-
SHA512
c19be5bcd46a087ae282617cb364d6819a650bed7a209ca78e3f612816a67f96dc26088dfd9188141187bc6810504c8b9ac8b87bb2c625e66680ca1306420d96
-
SSDEEP
192:nu9eDWTfiqTbbcABFrQs4qOW1sZd6ySP42+uH+204E0YQMCdE6M+2cElo:uJTaq7tBFrQsOp6ySP42VO4EhQMAM+J/
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fdddc6da-6b50-4749-8bd6-0c2068b5bdd4.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221004161312.pma setup.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
AcroRd32.exemsedge.exemsedge.exeidentity_helper.exepid process 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 3796 msedge.exe 3796 msedge.exe 4192 msedge.exe 4192 msedge.exe 800 identity_helper.exe 800 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AcroRd32.exemsedge.exepid process 1460 AcroRd32.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe 1460 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 1460 wrote to memory of 396 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 396 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 396 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 4980 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 4980 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 4980 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 2500 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 2500 1460 AcroRd32.exe RdrCEF.exe PID 1460 wrote to memory of 2500 1460 AcroRd32.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 1964 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe PID 2500 wrote to memory of 5008 2500 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\attachment-2.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=33527FF33048E08AC04C451407E08966 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=33527FF33048E08AC04C451407E08966 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7CBC860C13342ACB9B442F1580FF37E2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E14D0AD36B3F11FBA56276DBFCB2B4E5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E14D0AD36B3F11FBA56276DBFCB2B4E5 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0ECE8EEB911A5A14CF8CF9C92B73A23 --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ED1C29F3F57C750874C16D9D8876405D --mojo-platform-channel-handle=1864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94073096A7C41F1F0F0250A61CE0386D --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www1.mxempresar.shop/pago_comprobante/dasssashytsrfwewdw4w432dcadssswe32dsfwywyw67wjjehnsbvcdfreyd.php2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa312946f8,0x7ffa31294708,0x7ffa312947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6ed975460,0x7ff6ed975470,0x7ff6ed9754804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17241589983524482804,5148263127407236058,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
471B
MD5d506206ae44ba97a587f6642447f2440
SHA1538408d6bb9bc9ec075349b199e725fb683af3f0
SHA2566f68c5c0a48f4dc7052e1158b2617e74b1d43e52e47d84daf02b5919c2df0dcc
SHA512ba6c9794b64e1c5d6087d6527c69484287b2a91790a99d83004a5382735de1ce9499a6f9af03dfae601b7aa86e9f4b25c500e65f991248ea76b6d2e274219231
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
400B
MD5ffc6f03501879a7ca58a5f44b7e1274a
SHA13d07d30b45fded770f3f95a01108c83d5ef4d5e8
SHA256bf7fdec640c49c075704f0c95c41f8a453742c05740b9a38feeb7b97137879f3
SHA51229f477f810f4aec3eb9255f468016e2649fe8ddbf5ffc581c171e7a36c5f075576d3a04357681012a5367fefbf9c32a4966ddbcfcfe207da2c34af52db1ca0fc
-
\??\pipe\LOCAL\crashpad_4192_PUYLZYHDWIWHFBYCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/396-132-0x0000000000000000-mapping.dmp
-
memory/764-183-0x0000000000000000-mapping.dmp
-
memory/800-185-0x0000000000000000-mapping.dmp
-
memory/1016-172-0x0000000000000000-mapping.dmp
-
memory/1116-149-0x0000000000000000-mapping.dmp
-
memory/1256-144-0x0000000000000000-mapping.dmp
-
memory/1304-168-0x0000000000000000-mapping.dmp
-
memory/1592-174-0x0000000000000000-mapping.dmp
-
memory/1964-136-0x0000000000000000-mapping.dmp
-
memory/1996-160-0x0000000000000000-mapping.dmp
-
memory/2152-166-0x0000000000000000-mapping.dmp
-
memory/2264-189-0x0000000000000000-mapping.dmp
-
memory/2500-134-0x0000000000000000-mapping.dmp
-
memory/2708-170-0x0000000000000000-mapping.dmp
-
memory/3416-152-0x0000000000000000-mapping.dmp
-
memory/3688-155-0x0000000000000000-mapping.dmp
-
memory/3796-161-0x0000000000000000-mapping.dmp
-
memory/4044-164-0x0000000000000000-mapping.dmp
-
memory/4076-180-0x0000000000000000-mapping.dmp
-
memory/4192-157-0x0000000000000000-mapping.dmp
-
memory/4232-187-0x0000000000000000-mapping.dmp
-
memory/4352-176-0x0000000000000000-mapping.dmp
-
memory/4616-184-0x0000000000000000-mapping.dmp
-
memory/4964-178-0x0000000000000000-mapping.dmp
-
memory/4980-133-0x0000000000000000-mapping.dmp
-
memory/5008-141-0x0000000000000000-mapping.dmp
-
memory/5012-158-0x0000000000000000-mapping.dmp