5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72.pdf
Size

123KB
MD5

3281ce2c486f7462c79fa207706694cf
SHA1

bfb01a943541e973ec4a37b3b42ea4d8e7550efe
SHA256

5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72
SHA512

9110f4b32abc9ed7b12d291b9dab29ccfb903daac6d6509fa809f54fc600e593c1498506d4687307729f64ed87a73fbb148dff5fb95d8db51e9b6604e0a7451d
SSDEEP

1536:a680m3GtfiWmX2RgBkLZavodSVBJ3M37XMOANB77cF5bnCem7sRtMTLCkRmZ:Y0jIkUTVb3M3TNwE5DCemoGGku

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\446a4666-8fd2-4a1b-b9cb-bcf66f6c1a35.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221027161444.pma	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4192	msedge.exe
4192	msedge.exe
4336	msedge.exe
4336	msedge.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5644	identity_helper.exe
5644	identity_helper.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe
5792	msedge.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5064	AcroRd32.exe
4336	msedge.exe
4336	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe
5064	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2388	5064	AcroRd32.exe	83
PID 5064 wrote to memory of 2388	5064	AcroRd32.exe	83
PID 5064 wrote to memory of 2388	5064	AcroRd32.exe	83
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 1644	2388	RdrCEF.exe	86
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87
PID 2388 wrote to memory of 3488	2388	RdrCEF.exe	87

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\5c9911e58a54b679af77b96212a791447a31374faccc2d2e314beb31687f4d72.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BA41184D3A48B18CF6726D66B43ED9B1 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1FFC764419B8B6832B9DAD1AED615FA5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1FFC764419B8B6832B9DAD1AED615FA5 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B67CAFEA2F8134AE180ACB30F0F6F478 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B67CAFEA2F8134AE180ACB30F0F6F478 --renderer-client-id=4 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DB082D509B84B7B784726E3E72EA11E1 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1856
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9781B1B359F4A512552162D5C5D0677 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3496
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8B0A2B8F3506000CE392C983B5C7C94 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://evacdir.com/asks/bobo.grillparzer?TWljcm9wcm9jZXNzb3IgQW5kIEludGVyZmFjaW5nIEJ5IERvdWdsYXMgViBIYWxsIEZyZWUgRWJvb2sgRG93bmxvYWQTWl=crackling.inventing&retracts=sternly.ZG93bmxvYWR8OUxjY0dKbGMzeDhNVFkxTkRrNE9URTJNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff7b5746f8,0x7fff7b574708,0x7fff7b574718
    3⤵
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:2680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
    3⤵
    PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:3136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4276 /prefetch:8
    3⤵
    PID:2932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
    3⤵
    PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:8
    3⤵
    PID:5288
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff639d85460,0x7ff639d85470,0x7ff639d85480
      4⤵
      PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
    3⤵
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
    3⤵
    PID:5484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5780 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3484 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1492,13427188030406069936,3459828984003157268,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
    3⤵
    PID:3644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
fee4b6cf88cb981e15b13fe2475d7260

SHA1
f390e433497049eef9c8dbc6a5cec8b310ab4264

SHA256
96c98c6f61a768f0f8d02f3db99c3deef24e3406813c9740c76cd9ef8b746e53

SHA512
813d9f6dec2452fdccc32e45fb3c4f3dd290cf0af2ad1474bfdf26e65d17f14e4f9e7efc2b595e19d9ff511e0a07d852c9aeffdc94cb0c8118c6a4e8001ebf80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
c88733074d5f7f41a9dbff68469a8ced

SHA1
165e19db37a8bec06660acc358511a7e312af5d6

SHA256
657c677822e0e5b6291e9374d4ea0ab2ce803e477ec7769408ff1c99b79f6421

SHA512
bfa4a9fe3dcf7a86cada88f8199a593e307a7e4e448a2300911625bba82e18239030a543737f5443546c596d28aee4fe64f298d1f82c9faab0cc70e3479791a8

Download Submit