7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2

Analysis

max time kernel
133s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFSharkApp.exe
Size

1.0MB
MD5

3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc
SHA1

c7641aba03a32099c9eaf0c104f19c32a5408ae4
SHA256

7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2
SHA512

752104741ca99e691691b22b81516d5f1f36ae6c80a5dbf987fa6c88ff6aa747e085d59e08afcbfa9c8e9eda5f4ab167f8d29a29d31d34674ac85e3007e1732d
SSDEEP

12288:8rcn3wmilvy1PKQKXy9xFW8f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cHy:Ocn3w/lvpQlrXNL2PVh6B+BzjmcS

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PDFSharkApp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PDFSharkApp.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\55227741-df44-41f5-9007-ab1feef67b73.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230106194022.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4800	PDFSharkApp.exe
3612	msedge.exe
3612	msedge.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
3960	msedge.exe
3960	msedge.exe
4828	identity_helper.exe
4828	identity_helper.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
556	chrome.exe
556	chrome.exe
4432	chrome.exe
4432	chrome.exe
5004	chrome.exe
5004	chrome.exe
3296	chrome.exe
3296	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	PDFSharkApp.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
3960	msedge.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe
4800	PDFSharkApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3960	4800	PDFSharkApp.exe	91
PID 4800 wrote to memory of 3960	4800	PDFSharkApp.exe	91
PID 3960 wrote to memory of 2440	3960	msedge.exe	93
PID 3960 wrote to memory of 2440	3960	msedge.exe	93
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 2236	3960	msedge.exe	94
PID 3960 wrote to memory of 3612	3960	msedge.exe	95
PID 3960 wrote to memory of 3612	3960	msedge.exe	95
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97
PID 3960 wrote to memory of 2632	3960	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\PDFSharkApp.exe
"C:\Users\Admin\AppData\Local\Temp\PDFSharkApp.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1e1046f8,0x7fff1e104708,0x7fff1e104718
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
    3⤵
    PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
    3⤵
    PID:4176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5556 /prefetch:8
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
    3⤵
    PID:1344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    PID:4172
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff78c935460,0x7ff78c935470,0x7ff78c935480
      4⤵
      PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
    3⤵
    PID:5232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:8
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
    3⤵
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
    3⤵
    PID:5724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1808 /prefetch:8
    3⤵
    PID:6076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:6136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
    3⤵
    PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6344 /prefetch:8
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,5636821101255977275,13586128984468294272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6504 /prefetch:8
    3⤵
    PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://dsc.sharksearchonline.com?998aa9c366c40f33be9e5e9caf8786fe=H1xAXFNHX19bV1QNEQQwBw9cQ1pURVxXXVNDWVhMXF9YVlQJDB0LU1tWSi4nNikoW1FCX1FCK1w6LEJcUUVcKiolQS9YQ1tYX1Y%253D
  2⤵
  PID:628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff1e1046f8,0x7fff1e104708,0x7fff1e104718
    3⤵
    PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x2ec
1⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff1e224f50,0x7fff1e224f60,0x7fff1e224f70
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,6916169029401673029,2353836893159548601,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:6052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6975358bf66f5ffb6575376f7b32e94f

SHA1
779f399debac473aa3f9b09bfd59998559e41b8e

SHA256
2a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577

SHA512
b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6975358bf66f5ffb6575376f7b32e94f

SHA1
779f399debac473aa3f9b09bfd59998559e41b8e

SHA256
2a90fe21f67888772cc7e145fb804b9e7d25e7b34d161c7ab673addfe2c49577

SHA512
b2d2e2e2fe55f095082ce75e510e2df26e532f67fd9ffe34d3710c382192ef4c463c2026e1e9679adb9879640feb918a62a6497b6f0027ad0efc7cf3e7e89c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1eb441559668f67fc32b711cfe76195e

SHA1
1a23a4d3e5a434e256ed095458fdd796e6abe832

SHA256
0d155d0aefa11f8f239296923c818a572a8fd8d3d0f44f329fba7ae2c8430499

SHA512
5b07a82be7537da0fb9ade977e3f033bf587f94e70dd4d44388eaaec9f0237f8bbfd1c4bcaa73a018795f45ff12aa0dc904edf53c354756e2300f0f5b49bb4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55e93122f1cb08063a69eb952c1ab9ac

SHA1
b49dcb8f97d98b48969b8882b732e00e460aefbe

SHA256
4f1532ba2d3868886eb07d9704b15c8bbf84aa1dc46f90328e58702b621cd0a2

SHA512
318f9fbf5aaf7ef8cedb833fd9be6f3154214a83d592a3fb71c6280c5dc242c1b7d0c7a9bf0f65571ba60db77d8cfb1c845a891eba1507ac5afd4f84bd4336f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
18da58e2448e4bbc917b71c08aba3fa8

SHA1
8b2c993756755a6b7829546708631f1e6b01efaa

SHA256
b525113d26fbf5707e371ed63687cf748f592edf6574b8644fdd1a8ab7ea82cd

SHA512
6dbcf1429e22c91f9b8fc1c1fdd455271c4f26d1360deb3c388602a566acbfdcb5219a07f87a0a8ef025129e607ab11822e46beff1f4337c11cdb616ae9c9c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
12d804567b3cad22293ddfb209669856

SHA1
23758a832118c10c4265357a65b4bf0807086655

SHA256
880ae721cd77bc0e731f05768fb65f131670f8ae04fb701e826d0ac977ea3d35

SHA512
86c1fb67167f4aad99f494296b91b04bc8179f03ae7a53f6be89f3c21d7ca50c011b57bbf2df8e03f52f7f07c643c536e4553dcfc832cd46691e8bd30d2229d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.acl

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4800-180-0x0000000000E50000-0x0000000000EC6000-memory.dmp

Filesize
472KB

Download
memory/4800-134-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/4800-138-0x00000000098C0000-0x00000000098E2000-memory.dmp

Filesize
136KB

Download
memory/4800-133-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/4800-136-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/4800-132-0x00000000006D0000-0x00000000007E0000-memory.dmp

Filesize
1.1MB

Download
memory/4800-139-0x000000000F010000-0x000000000F7B6000-memory.dmp

Filesize
7.6MB

Download
memory/4800-137-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/4800-181-0x0000000005780000-0x000000000579E000-memory.dmp

Filesize
120KB

Download