Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 15:41
Behavioral task
behavioral1
Sample
Secure_Message_06096.pdf
Resource
win10v2004-20240611-en
General
-
Target
Secure_Message_06096.pdf
-
Size
31KB
-
MD5
31643e96ca1ebab8adda5e1d6409a555
-
SHA1
ce07fbf57b5dca8cb966fc35f855ef0b9acade82
-
SHA256
7983a17df6186c8ef7936a8e33ffd8fd21c8c86a0702008c8c4a52150c6324c8
-
SHA512
3f66d79a6448eaa453115166c2e7c028989b29cdb29f90cc3a184bc17f3082e371f1bfacca3d5791d14da114d6489bf48a0bea1ab76c5f3f9a50b5a4759e5aea
-
SSDEEP
768:bVg9lZiDmirdbf4ss2hnXv/qroooPk5XpqKqHVUXX:bVwymipbQVInX3Vc55TqHVUXX
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 4712 msedge.exe 4712 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 4564 identity_helper.exe 4564 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 880 AcroRd32.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe 880 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 5056 880 AcroRd32.exe 87 PID 880 wrote to memory of 5056 880 AcroRd32.exe 87 PID 880 wrote to memory of 5056 880 AcroRd32.exe 87 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 1276 5056 RdrCEF.exe 88 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89 PID 5056 wrote to memory of 3552 5056 RdrCEF.exe 89
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Secure_Message_06096.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1DCB0A196E432E0CB3796417EE91A9A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1276
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=08BD00B531BA5D70E843A4B648513D4A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=08BD00B531BA5D70E843A4B648513D4A --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:13⤵PID:3552
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A542E365B1282299D00F8CBA5FBE1D98 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2988
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F96CFDE4B1226CE0A34401D20D6C9CB --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:3612
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=163D305C882D334BA76D41590F818EC6 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1280
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A0F2058846037A8AA962429B12841525 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A0F2058846037A8AA962429B12841525 --renderer-client-id=7 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:13⤵PID:4664
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://outlook.office365.com/Encryption/retrieve.ashx?recipientemailaddress=agoldaracena%40toroam.us&senderemailaddress=fconcha%40lumafintech.com&senderorganization=AwGHAAAAAoMAAAADAQAAANKLtWd%2FKeVDlK7N0yQMk3JPVT1hdGxhc3RyYWRlcHJvY29tLm9ubWljcm9zb2Z0LmNvbSxPVT1NaWNyb3NvZnQgRXhjaGFuZ2UgSG9zdGVkIE9yZ2FuaXphdGlvbnMsREM9TkFNUFIwMUEwMDgsREM9UFJPRCxEQz1PVVRMT09LLERDPUNPTTDYf%2F9zFhVChQtkCWVdZaFDTj1Db25maWd1cmF0aW9uLENOPWF0bGFzdHJhZGVwcm9jb20ub25taWNyb3NvZnQuY29tLENOPUNvbmZpZ3VyYXRpb25Vbml0cyxEQz1OQU1QUjAxQTAwOCxEQz1QUk9ELERDPU9VVExPT0ssREM9Q09NAQ%3D%3D&messageid=%3CCO1PR01MB65840854F6DCB30725C39986B56B9%40CO1PR01MB6584.prod.exchangelabs.com%3E&cfmRecipient=SystemMailbox%7BD0E409A0-AF9B-4720-92FE-AAC869B0D201%7D%40atlastradeprocom.onmicrosoft.com&consumerEncryption=false&senderorgid=c77ea6ac-eb43-4cae-b8ac-50d838c4a9a4&urldecoded=1&e4e_sdata=Gx9733U48YJ0v%2BqRHygZsVCVsFng%2F1VefnUUsrl6KBTHfP37Pj6mc5BBwGje2nr%2Bw6AMqXazv8reZMcqtxPVuQEZDb3Qx7%2BX2XfbBNSeXkBXyc%2F%2BBCQgNRiMKud3VbVHOixjNGrZ%2FnvqJvWcGwI9wdQ6U20Er5vlBrXIZb4L0RmyIdBfVZKGyVDk6Zny7mxu3CW7rou9rEEBF3RTEsiYVkTBG81dCsoS3QtacakiVhpTYndgjOHki9Ua%2F%2BHJPXSJxnDdcLQwInDU5LmqI13ZWhCajo9D%2BrH3EfA2om4Q0cSsMUSs%2FNHmKDLP4rt4W9z4doe3cBOeuvULqvjKjzZEjA%3D%3D2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd087746f8,0x7ffd08774708,0x7ffd087747183⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:83⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:83⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:13⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:13⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:13⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:13⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:13⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7793559650516351098,6535190089649305486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:13⤵PID:5692
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD50a2f16dbf9efdf49ce19222678536519
SHA181de801085fe295facf9e7dee3a147b87c20454c
SHA256127aef28816c9a0a273d418054b91fed855283106db89e3c8c8cbec978df9c37
SHA512abb38ee0c4b959d80e47063b2e84443bac74d8073cb8fd6a789a39ee89f4585d296e06f49c0fe2cf512f2914bfd328fbf55c0e9628a0efeb899f193aece75bcb
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
12KB
MD51ecd8e52a6930bc1a6e3edf65935b1e4
SHA11ad7647caa529f7e0db0be085b2c3866d3114d01
SHA256975cd184a57f649f4e8920f6847fd05fbc700c57100f309145e9289045e81efd
SHA5125261b1f4422410e8719b8f69ed6698d85909bd6f195f39eef36a3db294b7d3487c48f2e8a1d500f314bceeee4fda7bd3e82d88bc0a4a496d904b9958919d8a66
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
Filesize
468B
MD5021418a25fdfe1966d8c8160d0d5ce4a
SHA1cd7291c0e0854384bf84244b67d065a32a492de4
SHA256d4bd481594dad06e023d99b8f689430161e530ecb9ce8fed37167114d89dc21e
SHA51204de1c142198d5043e3865c2b08311a0ede5ba6cf4ca5911a92fd48ba148826de3c66f023f74048ab185fd6d2249d60b8e586d4308e4852dfc74e70f1d8a9b6e
-
Filesize
5KB
MD50b058b9253a5962d777b71d05e34c5b8
SHA1eeadadad35a5418def9b5f4d9425e7ed749b7c2c
SHA256fc11aa43fe63df324212c43e14e3325227b2047de8e4ae5dd352fe842aa8b967
SHA512836f6e5d2a248c6002c2ff186ae3e87876c85867ca2b364e9c2dbb3c5162c0a0976498f4dc9ca98a8c71735927ab387e0abed00c03046b61752f2ad61905435d
-
Filesize
6KB
MD5c4a60edcca594728d22d6e0f1ebe97aa
SHA15411cbbd2faf9df63e90d8487fa69a3a58c6a701
SHA256bb170420f1b58eb191ca77270d79d491e5c82e433360c655e1a4964acc361914
SHA5123506ec9e9d2307b4c25e9974b2e64ec97ff19852a74361465f94393cc48aa24b28fce4429fa2495f3ede4784279017d26077aaad49fc1a46acc9113064da6e47
-
Filesize
6KB
MD521a62530c4894054f7779869f8adca20
SHA17c2b6038bfb883e5531cfe0bd45fe2bf9630c089
SHA25689f976a66099bc7a327d367762ff78bdee508b85a2db9417e4834589c4640904
SHA5120da4abaeceb97af953f4b99cafe5ebe4a9ef31d729d1daa19ce7ebcaca6477c2f3a34473d7efa34a79a433ed94dcb58a940926bbd34c5e97feecb0025db617f1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5cb22c18aeee8a9dbc365b5c956658b73
SHA13a8acadefdcc194528e15a4b6fe7dfb4d96d93b5
SHA2569c8d54e686856293f4f1acf988d1ddbd201f35cdaaaf9bcda4b353e011c48e83
SHA512dc26227c2fd0158137ad75bc8669561832176d64fdd47b55a61b7c33788177f1a51d3ddf6b1e6eb26ecc056c6d2d6a96803a39f52d060cea61cb7c318c1473d5
-
Filesize
11KB
MD5ad960c449637b34072a899d9b9c83386
SHA1483886122d7ff910b83f27fe56b47d364c116ea4
SHA25660c6d5b7ab8735c60c2404023c4add3824ac53bdbce014540b562ed06b2f8f8e
SHA512e54254f4fb30b5e50a262e3953a5a74d60e8c834f5627e44823495b50b8d268d9f22744aa0c7f5c53f59076ac73cb41af428da40b9ceffaed04b42c3f8889169