2c00bbb3aa78b1c9802bbe0ed9996b7a60519d0f08fbed48be7439314285628e

Analysis

max time kernel
121s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Norton_Invoice.pdf
Size

215KB
MD5

65087194ddbc3e328ea69b470ccfff5b
SHA1

44a2909c9ecdcd6d72f2ed13015c31460827059c
SHA256

2c00bbb3aa78b1c9802bbe0ed9996b7a60519d0f08fbed48be7439314285628e
SHA512

f9412a6341ab9b9ef6522e48aca507fdb2871da54592c77c49ac904dcff380788127fee9ab55a679ab3cf3d643ffe09e957164136225ace71c4d2a2b3f8ddfba
SSDEEP

6144:FhRgr7beOTj32tI91wwMTb4K4L7EQgJ3lno/:/M7beOTr2tCMP5/QgJJo/

Score

5^/10

paypal phishing

Malware Config

Signatures

Detected potential entity reuse from brand paypal.
phishing paypal

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

AcroRd32.exemsedge.exemsedge.exe

pid	process
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
4684	AcroRd32.exe
5004	msedge.exe
5004	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

AcroRd32.exemsedge.exe

pid process

4684 AcroRd32.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4684 AcroRd32.exe
4684 AcroRd32.exe
4684 AcroRd32.exe
4684 AcroRd32.exe
4684 AcroRd32.exe
4684 AcroRd32.exe

pid	process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4684 wrote to memory of 3748	4684	AcroRd32.exe	RdrCEF.exe
PID 4684 wrote to memory of 3748	4684	AcroRd32.exe	RdrCEF.exe
PID 4684 wrote to memory of 3748	4684	AcroRd32.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 500	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe
PID 3748 wrote to memory of 3900	3748	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Norton_Invoice.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=090302C1F97029B7F5B6258D6514CA21 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:500

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B8CE58CD9079AD004E4530B90270F905 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B8CE58CD9079AD004E4530B90270F905 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3900

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=455EB8A36F339890AEA2BB3E06947342 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=455EB8A36F339890AEA2BB3E06947342 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6E5EDAD2A77CA1D86595E8D76FEEFA24 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:572

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=52274DEFF480E79FC46080FC3542D8D2 --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=669AE0A0E0660E778B2635FCD223D2F3 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.paypal.com/invoicing
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f20346f8,0x7ff8f2034708,0x7ff8f2034718
3⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
3⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
3⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
3⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
3⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,4050465575804503224,12194607183301157182,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
3⤵
PID:1308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
cc51478cb768a2be01fcd7033b594ea4

SHA1
77c85254cb189d62d0cbf0eff9cdd799e447ac62

SHA256
7e0d481dd031154582d9e8262f292be9da378c06cdce388262b7ee1bd866c6a5

SHA512
04640a4c936f01c5a07d21d4a8694529469d9baab816c262d8e7613e204b61766b717660251b8e41102300ab73c71d0be77164921d15d58523824cf99be24282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
9cd32d74533e6612403fda8e44538a2f

SHA1
38872001729ae4b04db20ffba5eb2e08c83f14de

SHA256
924a7ef2bdde6458f1e544fd528560168cca1d6b17c44e4abb75c35de803e397

SHA512
f7e183271c4bc34b6a0e54186e67af95df3dce2dbe95a2cfbdb0bd3c1ebdba50e83654d50eedde624806cc3a5d435e53b5888372b78dc154f068eb41978d84d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
ec0431fa4cb3b420e8c812fa54210ab7

SHA1
8d46659537971ef5173ee7c094ff905c4adbbd51

SHA256
f27d0779067a5eb7e5347e33f68882b947c1512e245ab70bdc716fd9207456c4

SHA512
3c58dc9f2dc5ca88865c850fbb89075cfe37ceffec06341813d499830e942faaf5bf11d0286568baf61e84eb65a6ff406efa26459731709cd6205d5a0d77cccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
160KB

MD5
67145d1dd8c7201ad506c8734df41708

SHA1
9f10d87858deb8ee394d47a6268494905ee9f0c0

SHA256
e0ebeeb232953726660519b937e1cadaf1cb2461e8c044044ff2e9a481f085a0

SHA512
cbf26927e90100331eb8cb94bbf4da6ab431e7dc4919ca6068e672cb07b2d938351d502770433707e98bbc506297fa221dced4fbaf3af92d281da7d18f80c95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7f30d57ffe2c158991d217939deab0b2

SHA1
8b905cf3fb34e172d8a9e0acdb535b1f0cd571f2

SHA256
c4f1af8202b0af4ebdcd46092756a6efd82b2c2bfc2cdac8bbcfc50ea4465c52

SHA512
7c4e48e8e9637a397f34bd4e591ea6795b6eab7a736e309462be3ad3fbe854c42d20172d75b07f5c578e8314360fbf3dd5009a8f74a7abbf384c440f1e5ebb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
f10d8bd0a8e61f56ddb80054a1200904

SHA1
275d966ffaf518f15a63c67d8fc57d0a246f1327

SHA256
729e33b0c8bca6a409f4d8272794e497410edd3d7703e369fa72ff496e614be3

SHA512
f9335aae8ff93427ffd77675855baf14e98b2daac5de0418fc0b3f7c88ccae3584fad1aecf4708e32e141d6f2212be23c328f57eba9547bba3a7ca6c25e50c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
3ecc249f3db123ae34fe79293cf774c4

SHA1
8557dcfdbe62444c7920cbcdb2f232d254e6ea64

SHA256
febd17e1f978142803e01296a8c5dbb8394683641e72250cb53bc9f4f1e7b5aa

SHA512
cc5397c66cc8fae38a39b454a5fd1a58040945e7d2a9eb7dd4ba72bd7a8a9bd6a243bee221664da8089edc287d4b64efb71e96982583d39cdd2de6150ed21698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
886B

MD5
cb57645792a6d81fe70b8a2b61987c0d

SHA1
38fd81bb73e98a43c621a411519908e6e2de8590

SHA256
978db87c9eacc8bcadae23e445531d54a1aed17104ae5d0470387555810bdfd1

SHA512
26076f66b2eafe261f49d4a698d630ad8b1d9694f00dccd1b30c98d5b38b176323e38c54636f8e8b70074f808ff0f2a1823decb4e35208bd4a61bbcab52a5081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f58c96e13f902c76599bf68cf0ee07e6

SHA1
680b5444fb28ca4ef933d5c4ac6b0c285b794480

SHA256
ae014a516da191522fa4cd49e7d21e8e2d1d792acc90f68ad217dcdd362b353c

SHA512
5a1af821765d22018cf879c7721599bd103546a22330ced69011612666d96e6cd27e84d96468a3365bedb6c0d50c730e85bf4f85a26d96690cc07522db85a2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
81a25773f99c1c43e0dc1ef2339096c1

SHA1
9da776b3cfec93263cf7477396d177509600ef8f

SHA256
db982a60c28a319a085165ad9a0099433b43ba4a407816def0c4c56d6610c13f

SHA512
16a0228ac89696fc0ee591dcbdfbb2523fe492e89a0562dda3cf2228db23ec44f79a434d8256e695732fc58358e15311eae6e1289d042fca14de4bc7171c515b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e903f8096dd77d778fe7cc0bcc4db02c

SHA1
adabe1fada206de0828d9ac05a66f029f1fee42b

SHA256
aa528496187a7442543ba5a937de8969666c5278f3ad248ce097f8b8c2134436

SHA512
be6dfa85ff81b6467349370a5f4c117b355d1b4536f487e600953762d89d87137f0b0ed1554ca3eaf7f2434fce4daef3578e142cb512c5bbfe78e1fe2f4b1ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
a0c8aee6f2f4222ebce884847e88934d

SHA1
990c29436f2e366ce8e856b5b61b81ea5fae4fb4

SHA256
943a4ec657a8a145102b2f7c75c283c7489896648943288a548694cd4c924580

SHA512
f60a2aa20734675953e310338e35c43175e9045fa08549f719e9a9676852bbe119ea40af58ecf015c48510eba6fe6e5d3b866e06d21aa2be17cb7b0632044d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d36849001b5202884f9e54b713865bdd

SHA1
b01e16b85b053b2f2ca0c80d734f3f97368e13ee

SHA256
2d565461acdfe46ae871e7e0f99e8adc0b7ff5f72695a412072dd8a4d6f2fbac

SHA512
bb0e11fc18318d6086db0ad8bbc7b2b313c07256ed92282337961e4f0a85f442ace66fd1c3543b615878d5a424f3559cba23f42dd933e743fc0706b9c2b5bda4

Download Submit
\??\pipe\LOCAL\crashpad_4432_WKIIBOMXQVWAOOWY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit