1739daa2526c9eafbc94187dcec3289a550fca169d0a2b0d6b48e23e4aa33d1d

max time kernel
69s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w3.org dummy.pdf
Size

12KB
MD5

2942bfabb3d05332b66eb128e0842cff
SHA1

90ffd2359008d82298821d16b21778c5c39aec36
SHA256

3df79d34abbca99308e79cb94461c1893582604d68329a41fd4bec1885e6adb4
SHA512

f3b3ab3e6351e25b5c1882bea8d37efaddc0ea72bf153bb067688f775a26810d32b54f014bf1cebc7fe93042d85b18b5b453e322d154bc55d5cc2754b0dfb4b2
SSDEEP

384:8Xdp2nmyTBbQDcv6ZxmiiYcIWyGqBRnfU/LaLvWB27:G8mibQDcvSxm14Wy95fU/2TWk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{80CFAF14-D65A-4C28-AE0F-87C3B0D42A6A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
372	msedge.exe
372	msedge.exe
3836	identity_helper.exe
3836	identity_helper.exe
5844	msedge.exe
5844	msedge.exe
5748	msedge.exe
5748	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5320	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	5320	7zFM.exe
Token: 35	5320	7zFM.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
880	AcroRd32.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
5320	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
880	AcroRd32.exe
880	AcroRd32.exe
880	AcroRd32.exe
880	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 3500	372	msedge.exe	97
PID 372 wrote to memory of 3500	372	msedge.exe	97
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 1404	372	msedge.exe	98
PID 372 wrote to memory of 3356	372	msedge.exe	99
PID 372 wrote to memory of 3356	372	msedge.exe	99
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100
PID 372 wrote to memory of 976	372	msedge.exe	100

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\w3.org dummy.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6ab646f8,0x7ffd6ab64708,0x7ffd6ab64718
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,3452356326650948662,16770570516662574784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5560
- C:\Windows\system32\cmd.exe
  cmd /c "C:\Users\Admin\Downloads\sample-1.rar"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5516
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\sample-1.rar"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
62KB

MD5
daa01cc5a9b8b3a7730d8c940015554c

SHA1
6d3091870737fffb408000a4664c8a6f088b5cf7

SHA256
60dfc7c4f1adc5282ff9d3a0bd9445b59874ce5e123226d3d6f5339d1b998a6d

SHA512
7de57bc1ef544432cd0cf5e27b87fd19af248d2adde11b9b0b7f1cd5e762fe8ab08954344027b7fe32a62c142ba8411e3db42df87ed47a009437aaa511d6246e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
be8a13dc3cb7f4ca5567f0f3c8ab6b38

SHA1
babf7e5aa8d2b2c2094d0be400a1cb8add0162b5

SHA256
e3a118552b12e166aeebefa163ce5358dcee2a3cfd1053e6f22dc57f6678a0df

SHA512
b0ceb8c41ac50b42f2ff0dee494fc1d9b72ba3bed04cb3e80d1d5e1fbe72b75f8ed7d383450a7b49a89dcbc7492fe363953fce628f73c1c443f4eb04b6f3b3de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5272eda4e97d249a286af4935edbcf9f

SHA1
26c227f198321dee8db2518a90d810de0c66f98a

SHA256
08a1f08cbe675a6d1534807ceea93524305adf73021e4c2a290bff2bb8910d36

SHA512
e43bbe25c493148009615ba7b92c4a238ddf1f34ce4470b2bdda6e6822c79c966ebb311272c2dd440538b002fb01c235f0b2d2aa835cf01f98e706cb526720ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
575fe2c5692e9a0b6bb1c2007177fb60

SHA1
666993b75c27a1567657b3fe6d541d97816a563d

SHA256
6ef4e2a46ce531ed333a256c83f1af09e8f84b407c2891e43e43fb19458962ef

SHA512
70c3662752cd1a18626a603d52b3330ac7bcf829c628948b628d8e3f020ad0f31a4ae6ea6930e245a7c3c086ed8cf778ad6859eed3ff7e34ef9b35e83db7a1c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8722bce5bd512dbf1fa1578b44c339ab

SHA1
f71ba15c584db5cc4ad47326c027142bdaedaf35

SHA256
9ce70debf18a1569f1ab6d173f63c935e431c30f107249c4d5be50f6b400df34

SHA512
459508ebd4f3fe21cceef594b089db2a146632971d6d3e36b419cef5b74f8912909ec45b5ea80f9536b86726f26de5985d1d4536b28f06291f173b9b84356b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16bcaf9f8c2dd927c568f2a0c07d21d8

SHA1
8294c136402666e3f0c39fa8f7643da0dd5a2e27

SHA256
1ab967af8899bcc06f3e1fbeabb991e59390d39db9e46a64b03bc38e16edab2d

SHA512
2d9811d0c0df2ad6e98883fe910a5dd57e7a21d9972317f85481ba6f60cdc24212b363f8566542dd536a61cbb636ed9543658648c42833f81e2971725fa172da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ee09.TMP

Filesize
872B

MD5
b75108b352d830a6108e3be9ae5737bf

SHA1
427ceddf6a309ccc3fb678d5b69575528a18ab1e

SHA256
2313c4174f70bb74499a52eca87291d2e9de826023d9e738835fd271893398b2

SHA512
0ec314f24009c691fa34cf4bc1007f2635123b4ce199647d305c1c1c09024dc4eac077160be83cc65d689abcb68ab57ae67844382b619a06e8dd0c654e5b304b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aa234036e63315b2bb97cfa3831161b4

SHA1
85f68c5e253e1862851d6611d8af543f07a3a3be

SHA256
f3f9902a8f18d40cadc810262d6954ec9782f92b7c5377b603bcdffc1c0bc138

SHA512
86cb4ae76094d36466c6e5c9d52ce3ebc13eec84d2ed34a8d99db199775f395b09d9afe6c66302dc40491f5fc27ff067af63e3a44b639f2ba332f22e213ee48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fc4ae466-647c-47a8-9c80-805f4cd38686.tmp

Filesize
12KB

MD5
c6ca18832a606f49a079751b5b7936e5

SHA1
2d9e0e525892d8d2eb3a0e4d31ae07353850183b

SHA256
bf9d79184fbd58a5e57a63c1db27354649cddf9e501324698be36f4c505515bc

SHA512
3b046a9d02b69ab456959ca947128fa3c2ddc56d14eee22875375cdfdb9c898d2f0f317ed54a15cc96af1ba5ef01c5865e9be1afc0edac8efb472dce0fa46445

Download Submit
C:\Users\Admin\Downloads\sample-1.rar

Filesize
353KB

MD5
4dc7982b8ea86b3ca1ac9563afee0781

SHA1
08d605d2ed2e8499dd96b481f13f7a374649d060

SHA256
778516a80e1d4dcffae2845cd889999bbc78608842506da91acef3f896bad350

SHA512
e22cf920c2216d38b01c9ea111c065b9917069847dd56e2bb76bdc675ab7c0abe6b1cdfe5cd3c64dc1dd6e6925650fa47b21bd82cb9d41e5e6d4ad5f67e4ea07

Download Submit