Analysis
-
max time kernel
290s -
max time network
269s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 13:11
Behavioral task
behavioral1
Sample
Nam.pdf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Nam.pdf
Resource
win10v2004-20240412-en
General
-
Target
Nam.pdf
-
Size
105KB
-
MD5
3bd50393cd73db89921f61aa4ee5a028
-
SHA1
08886fa71da4eef73eb1514e84fe213d662b4552
-
SHA256
baa163f82e96d421ef67af9826e06195ac7d26ee20a87db20d92e5d0968ae9d0
-
SHA512
4208f38715afb773e1d0fd81911c118116a8e2ce69d89da103d27c6ca0b3cfadf0aa0e529d1b232966dd0fec85d2c6db29369fa535536414ce691c3dc47b9c0a
-
SSDEEP
3072:LgTzFLkZUSpQsqVt4+AIRGgxcx2Gseequu:LgTRLkZK9VFRGWcE7S
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
msedge.exemsedge.exeAcroRd32.exeidentity_helper.exemsedge.exepid process 4876 msedge.exe 4876 msedge.exe 1972 msedge.exe 1972 msedge.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 6128 identity_helper.exe 6128 identity_helper.exe 1616 msedge.exe 1616 msedge.exe 1616 msedge.exe 1616 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
AcroRd32.exemsedge.exepid process 3900 AcroRd32.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe 1972 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe 3900 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3900 wrote to memory of 1052 3900 AcroRd32.exe RdrCEF.exe PID 3900 wrote to memory of 1052 3900 AcroRd32.exe RdrCEF.exe PID 3900 wrote to memory of 1052 3900 AcroRd32.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1216 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe PID 1052 wrote to memory of 1404 1052 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nam.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16ECEF2896BF57914235240D10956C1E --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1216
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AEF9A908BF66ECC3B3E434B6977CB96F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AEF9A908BF66ECC3B3E434B6977CB96F --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:13⤵PID:1404
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A05147589E56350B332C6A30758F42D0 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4876
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=442128BA5A5A77BEE54B0D62BA5D9789 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=442128BA5A5A77BEE54B0D62BA5D9789 --renderer-client-id=5 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job /prefetch:13⤵PID:748
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07F6622370F087EE4E175FA5C55E9064 --mojo-platform-channel-handle=2824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4692
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A453B45B0F0584737874BEE5515073A2 --mojo-platform-channel-handle=2000 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://daniloroessger.de/ica/delectusnecessitatibus.php2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc544446f8,0x7ffc54444708,0x7ffc544447183⤵PID:2584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵PID:348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:83⤵PID:3740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵PID:2508
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:83⤵PID:6008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:6128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵PID:5448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:13⤵PID:5452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:2480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:13⤵PID:5564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5022938639726314399,15305627749747702503,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3252
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD52f22dd5848dc6b5a8addcfb5d1ca472f
SHA1d34c6de96acadbdc8a93a1d830d6b48f3b91dfe0
SHA2568c2a1003a5a7879e3a9340e3116ee3dc3e64b8ed9d963c58665b33b2b2d7f472
SHA512103e8c16ff48049d935eef68b0f530a0eb8a8f70355ddb4ad4cc30f65de791e937476bb04a9de37a87d66a7c2cf85ea493f5d027dd323694c90f7d00dfbe8c85
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57e0880992c640aca08737893588a0010
SHA16ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA2568649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA51252bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e2f0fe48e7ee1aad1c24db5c01c354a
SHA15bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
216B
MD536e26c8809ce5f937d210b456f09c8c6
SHA10329735694f04a0bf86717fde21b75b58899975b
SHA2562cb34f7182493f08c40346568ba4ed047e7fcf2cd8e0506387707b9473d3f332
SHA51236399ddd5018f54164f03a09bf5ecb0a88f0036723add5c21bb36eed3c8045b7877744ff85a7e38af75efa9d230f87edb9fd3894073594ce4fa19d79e864ca5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
955B
MD56f608bb0fe66e51596f5df844ee75eac
SHA1b669b27bd747eccd68a9dbbde8e4a207059ef69c
SHA256afa30c4757e8c57cd03e9d1769ae783f24344b4958fd3bfde264ff272160768a
SHA51279f7979c37a89a563ea687ff7659a2d06479dbbea7733a418a31073e58b53dd3dbeb85fb6a6ccef743f50745ba4081253671d6850bab805f2b8fd48050c0687a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57516f491890051993b1b834dd224ec11
SHA132e7f1c1cc68bc8279dd54251fe1239c52f3a12b
SHA25639f437d6da29f7bb72681f3262644df8e8598785cfbd8e0cadae40dad9e2e519
SHA51260d0f33b727521d43fe188c4f69718e220bc3e8fb034d202e25065300e0241f4522a4c9af443d5319b940e271389ebc50db65e7ea134affc6292f715af356d66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52446ace5efa4573f8c4d54aa692bd6bc
SHA1ff85a1eaaeda9a08711ee2f3e125aa2b69518527
SHA256de2e46e086263d6c2203c78c4aa410d895905b486a31ba0d940957b0ef003f9b
SHA51257e16386848287194850199800f332f68dc034f0be058b717d40d032ef242190925feb2e06f39992332f6df093d7529a34b5c44d52831dff1ad7b45789ecfd06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD518363b605b26984a7f596777d7a458c5
SHA17d1d2ab56f20cb673f05f5dee761004dd68bfb18
SHA256cfffd13e2ce9d44adcc41cb204f71edb664a3f60ae226df3495d1bcace308bcf
SHA512660229efbd62d3d69c921d24533ea2ddf89b7aa2a9bb698b5f2b20c73905ca47dcb66a33150a1eca325a624b709e6d8136076ebee84d2db0217a12992383ae64
-
\??\pipe\LOCAL\crashpad_1972_PGWVYTPVKPJVHMPWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3900-32-0x000000000A040000-0x000000000A061000-memory.dmpFilesize
132KB