30cfa86cf09dceb157bc391427dc1711e19bb6274aecb7e51106253d83324c1f

Resubmissions

28-10-2022 16:58

221028-vhb43agfcm 6

28-10-2022 16:47

221028-vamwlagba5 6

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anthem EFT Claim.pdf
Size

39KB
MD5

6ac808c8ac531d00b2641d862af65993
SHA1

b38755ed5ee1b27c73883ac98be68233f4d15500
SHA256

9c77273fcfb042da3f1f4588ddca7d3238d4294c02341c7881fa962bc01f9a84
SHA512

13f93e59169dd023b659a147ed58ef18d5d40e5a980ec5660194b0a1721ad1403dcea333e8654ea9763d9c920b2a8bd137dd9aef08fb853ef652986fed8db2a0
SSDEEP

768:Afe3/GZbBTEGrLTRHDxTPIqW9KVemfTY1N+K5jA7tFJRCNXaKiLfe7:A2S3RHFTPIqW4ImfTYP+K5jA7tFJgNXV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7ac1f39e-dd59-483b-b1bb-ea3d516b123d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221028184806.pma	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exeAcroRd32.exemsedge.exe

pid	process
1768	msedge.exe
1768	msedge.exe
2232	msedge.exe
2232	msedge.exe
5236	identity_helper.exe
5236	identity_helper.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2232 msedge.exe
2232 msedge.exe
2232 msedge.exe
2232 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AcroRd32.exemsedge.exe

pid process

1716 AcroRd32.exe
2232 msedge.exe
2232 msedge.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1716 AcroRd32.exe
1716 AcroRd32.exe
1716 AcroRd32.exe
1716 AcroRd32.exe
1716 AcroRd32.exe
1716 AcroRd32.exe

pid	process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

pid	process
1716	AcroRd32.exe
2232	msedge.exe
2232	msedge.exe

pid	process
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe
1716	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1716 wrote to memory of 4388	1716	AcroRd32.exe	RdrCEF.exe
PID 1716 wrote to memory of 4388	1716	AcroRd32.exe	RdrCEF.exe
PID 1716 wrote to memory of 4388	1716	AcroRd32.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 1504	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe
PID 4388 wrote to memory of 4732	4388	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Anthem EFT Claim.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5E476EEDF12F08F8899F06422F5D1C3 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1504
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B6905FE47A0CE980FAECEEA4A06B297D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B6905FE47A0CE980FAECEEA4A06B297D --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B0295A09DCBEB079FD98C52D44FE631 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74B6BE21108ED0197F0A2426FE5EC8D6 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0EC1896D0C194F7189028B8339A04035 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DADA1B0E533393DFD697BE881B15439C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DADA1B0E533393DFD697BE881B15439C --renderer-client-id=7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vk.sv/tg5U80
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa20946f8,0x7ffaa2094708,0x7ffaa2094718
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:2972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:1388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff61b9b5460,0x7ff61b9b5470,0x7ff61b9b5480
      4⤵
      PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
    3⤵
    PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:8
    3⤵
    PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:8
    3⤵
    PID:5920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3484 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,7461017794365410815,8590496426742918148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
    3⤵
    PID:6040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
6327f99c41e8b498eee4c3c5cad902d1

SHA1
0b61d37df442f93a00fcbfbaa19e8387f0124e4c

SHA256
5eb06f9d0b269bbaf85eca699b9be0bdfefc1b1a1970a117ce51bab96661fa4c

SHA512
df8217d75f72c4c6211a241e914b63d47f0256507e85bb0cb3f8b91c239b8eb854b8236ed4d98850699e5bef13723a8e96cfb9741b4258ebaca93485c73d64e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
95aacad5da39350d91e9ea0f3d60e39c

SHA1
afdabd1660fe0e76e9d94b64c0f39763b7a76cb0

SHA256
04246ea8081a8ca13d2e475ee497e8a88e457b32330fc452a5b9d78a5bdbff97

SHA512
31d0da43b89065f73ef94321f0166d2e9e0a4271cc77f1d5f0cd8da94f6b4001af84c0d3e4a06cd2b130d1eed251282b5fc5302b567f041b5b77b557546a2520

Download Submit
\??\pipe\LOCAL\crashpad_2232_YTLYKRLWODMJSYMB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1388-168-0x0000000000000000-mapping.dmp

Download
memory/1504-134-0x0000000000000000-mapping.dmp

Download
memory/1768-159-0x0000000000000000-mapping.dmp

Download
memory/1816-166-0x0000000000000000-mapping.dmp

Download
memory/1832-171-0x0000000000000000-mapping.dmp

Download
memory/2232-155-0x0000000000000000-mapping.dmp

Download
memory/2392-148-0x0000000000000000-mapping.dmp

Download
memory/2972-158-0x0000000000000000-mapping.dmp

Download
memory/3600-170-0x0000000000000000-mapping.dmp

Download
memory/3600-172-0x0000000000000000-mapping.dmp

Download
memory/3684-162-0x0000000000000000-mapping.dmp

Download
memory/3940-151-0x0000000000000000-mapping.dmp

Download
memory/4068-145-0x0000000000000000-mapping.dmp

Download
memory/4188-164-0x0000000000000000-mapping.dmp

Download
memory/4188-142-0x0000000000000000-mapping.dmp

Download
memory/4388-132-0x0000000000000000-mapping.dmp

Download
memory/4732-137-0x0000000000000000-mapping.dmp

Download
memory/5088-156-0x0000000000000000-mapping.dmp

Download
memory/5236-173-0x0000000000000000-mapping.dmp

Download
memory/5256-175-0x0000000000000000-mapping.dmp

Download
memory/5284-177-0x0000000000000000-mapping.dmp

Download
memory/5852-181-0x0000000000000000-mapping.dmp

Download
memory/5920-183-0x0000000000000000-mapping.dmp

Download
memory/5984-184-0x0000000000000000-mapping.dmp

Download
memory/6040-186-0x0000000000000000-mapping.dmp

Download