Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 23:13
Behavioral task
behavioral1
Sample
Scanned Copy.pdf
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Scanned Copy.pdf
Resource
win10v2004-20240412-en
General
-
Target
Scanned Copy.pdf
-
Size
39KB
-
MD5
0014e36cd355d92b36e0f61960ea61b6
-
SHA1
6bcfbd052d102b5f134c3f12792b5e795fd4a277
-
SHA256
e8d549fffa06076868e012e0fdecbfc636424668b540743c5528590186992e3e
-
SHA512
d01509c7fa51ff30c49ce78a0685c9355565576963b7ba24d811c916cde935f8cff4384d7d1f9fceb585cb86da6c9be13c3595e066a6c6b5dc95cdca5abb7db0
-
SSDEEP
768:RDMq6WkFuhEeCUXBUm2RRUIrCAfQUjptjGEArIAmoE1gvP1TTKgIZyDfslm:RDMq63ulCUXGm2BrCQQU3SEAEAmQv1Ky
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msedge.exemsedge.exeAcroRd32.exeidentity_helper.exemsedge.exemsedge.exepid process 4332 msedge.exe 4332 msedge.exe 404 msedge.exe 404 msedge.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 5872 identity_helper.exe 5872 identity_helper.exe 2416 msedge.exe 2416 msedge.exe 2004 msedge.exe 2004 msedge.exe 2004 msedge.exe 2004 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
AcroRd32.exemsedge.exepid process 4968 AcroRd32.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe 404 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exepid process 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe 4968 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4968 wrote to memory of 4588 4968 AcroRd32.exe RdrCEF.exe PID 4968 wrote to memory of 4588 4968 AcroRd32.exe RdrCEF.exe PID 4968 wrote to memory of 4588 4968 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 1728 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4248 4588 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scanned Copy.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=046F2BE2A8653425717019088EC40919 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE3EC12AC76E32A2FE29AC4155255C30 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE3EC12AC76E32A2FE29AC4155255C30 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=45F1337844478E93D0358A9E575F9B98 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=98F361F66120628BA49C4061BE30565D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=98F361F66120628BA49C4061BE30565D --renderer-client-id=5 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C503118CE89A6C202A96DF96B14CD12 --mojo-platform-channel-handle=2700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A45FF41A9AAA03318B0EC54EF78F237 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.bps.go.id/s/t6aD7gQHCe96m9a/download/PQn5zsO-s5v71-zdLsa.htm2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceeeb46f8,0x7ffceeeb4708,0x7ffceeeb47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14963172019903031750,13301971206913118302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD5fc3b59f7e4b1738ce1a487888ff0535c
SHA14f9c5b13ac1fa6dfc90b1e043e1dc7b6f6faeac8
SHA256505f287db5c33cda27b16b4ac1aad71e447cb6f501e18377735decc8a019abd4
SHA512e7ecc6da4bb4dd7c93f40f65e1eb52e47810b80ee57f7ea200a47713a6d65eed16aa62c3985227aa88adf9bd2d9127131fcb474e8aec493f47cd1a073afeaf90
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsFilesize
12KB
MD52f8a2915e317059264d782c0d0f9c1b0
SHA1cb938bfd14960e52fd0d313da58a45db399fca72
SHA25690639155ff46a136a78262377be24de9eb0d58349eb6c6e1ad9766892f42f352
SHA512adaa178444e30268d85192f6d2807a777209d91d491294776a84df19932ad3a88b2960ed21ecca1952b0121e3378b2383754394296b89265b42d41dcc60ba0da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57e0880992c640aca08737893588a0010
SHA16ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA2568649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA51252bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e2f0fe48e7ee1aad1c24db5c01c354a
SHA15bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
398B
MD5402c356dd08bea2d859901cb36085e02
SHA16471fb579731e12df4e1502c0dcebedce239cd75
SHA256429433c96e1175daad7f859979f50044382c597ed199301ca760d085d3b9388f
SHA5125dac6ab0e8811a0c7e995d4b6597b0693d2ecd87db4968c9c3b6eab3608fa00f478c2c8380b141ac08ff96001401c4225eb99e4c3680c11a116ce47604885820
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b9df3eaba89f4faba5734dc77938b408
SHA1bdcdacbc7dc930347084235d8321f6bf28a288d1
SHA25664ee96c362a76a41dd57fc09b4f7ea37375541fecd9aeb6f3d49c0640cbfb1f0
SHA512cfbf28005494a178cc2cd3e46921d8df9d31236db6189e501b8205323d84d67c1dda678bc1de8ae584d713df9fc724ea1b0721ee25bdb036861984d5ad6c723b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e85b642ecd856b4118267de23cf82c66
SHA16c9c2abb7933027e52f9584a434cc8b58dab8934
SHA2569b878e34d610bdb09145583ade4e5ea1bd045eaf47d000cd05355f2f0604ce71
SHA5123b761a8e119ae49889c0ddb8a8e61fb56a53c314bed97cbde5f7b6cf5724478f360e2690dce2ba7d92503ba7ddddb98d3a3f0026d6431d3f455ab02e614b7c61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD502a9e163b17e37036d5c25e01ad30a4d
SHA16e41105d3c1a7cda7bbbc6a7d32429a3c13ba58e
SHA2563dfd9421edaa8ff8565aca3af495b404bd1bf1c2b66df5d4ce9dda03345153b6
SHA512d7e95958d9acb524195717667df214475a2657e650c07db914f4033f3c330af673f008dc57906cda323a0bf6f05fe4ab33bcdbf2fec27c8f503992346fe3d9ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5716a6d242d7cfb252ca4c810017ac8c0
SHA1658e0b5e83fbc518abdcaba9e0382b35693be9e7
SHA2566df4278947de3d4ec96cd9b3655cf0c3e7ee9781379c33e961372b2ac1f455f9
SHA512aa550b19961c2409551ada47c03adec9d464510f864833b2546666691c694bd876b9320412a839266c694109f4fb6c5eb8224014d732c27611ecbd7f8bb9b417
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50615e21f090fbd5176fe3d497fe0a3dd
SHA10cb3acbc3f107f8b733719ac8ff6c9fe1475f62f
SHA256f32c81bff024466662803e4571723b3300731c8d6782860a1d0c2c8436b5b784
SHA512935d7cb34ad3e65c255a46906a1daefbdbf8e5961611171ba78e9bfcd9f187326b406e602e3eb71f9de505a6ce993aa60c597a36d0c2db500fe1664662130535
-
\??\pipe\LOCAL\crashpad_404_NFRWBXYHKTHVPYFRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e