Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-10-2024 17:37
Behavioral task
behavioral1
Sample
8509d9e62c2c897cf180ac5233554bd523ffffe4.pdf
Resource
win11-20241007-en
General
-
Target
8509d9e62c2c897cf180ac5233554bd523ffffe4.pdf
-
Size
27KB
-
MD5
ffcedf751f4ef3eea3fae75bdded0b49
-
SHA1
8509d9e62c2c897cf180ac5233554bd523ffffe4
-
SHA256
2a480b0b2ad412c919d708f5325659050470f8ebfb3828f974007eb9e452be86
-
SHA512
c3a793212fc14637809c0961d60e97933e2121abdae3cf40e32b514311e61129cd365e4a628ecd62e9959c4c316f014e8753ee2a0337df6d7a563ccb91acc6f3
-
SSDEEP
768:j7eVkHIzFuC9DKxBnqjRZQYvAX48DuCMuybK:j7eVUInDQBn/YoI8qB9bK
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1616 msedge.exe 1616 msedge.exe 1896 msedge.exe 1896 msedge.exe 2092 msedge.exe 2092 msedge.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 1676 identity_helper.exe 1676 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3188 AcroRd32.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe 1896 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe 3188 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1028 3188 AcroRd32.exe 81 PID 3188 wrote to memory of 1028 3188 AcroRd32.exe 81 PID 3188 wrote to memory of 1028 3188 AcroRd32.exe 81 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 3444 1028 RdrCEF.exe 82 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83 PID 1028 wrote to memory of 2108 1028 RdrCEF.exe 83
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\8509d9e62c2c897cf180ac5233554bd523ffffe4.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8ED8CA73BFCD9B7CF3387775ACFCC4ED --mojo-platform-channel-handle=1600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:3444
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=445B3E24CD83665F676331F51291A857 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=445B3E24CD83665F676331F51291A857 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=73BEAEA37A898E0926796C67A88DACDC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=73BEAEA37A898E0926796C67A88DACDC --renderer-client-id=4 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:1060
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37B1FA5CF1D10588C190549D143B1A25 --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91DEA68ABBE132A222EACCAF1EF8E56D --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A68F6FDA85C28C5EFB1B6B0CD2746895 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:864
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://2259e144.reconscweupcon3256.pages.dev/.x#xbWF0dGhld0BtYXJibGVnYXRlLmNvbQ==2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe05383cb8,0x7ffe05383cc8,0x7ffe05383cd83⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:23⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:83⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:13⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:13⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:13⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:13⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:13⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,13891786185334392299,12905144801204092354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:13⤵PID:684
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD55a55285af597a466f850888f51e85bdb
SHA12e1eff1e5c7e8edcc3d8f35c99d219d2848d6395
SHA256bd26ddafbcb5ddb3c7fe9f0333e6fdfcf00e044c0a4beaf3187744a05b2d101f
SHA51239c4c73d0bbf88db96b9db7d0c1267d00f7a0dccc9bc021e44b66098ce02f9b84629fbbd97dd7fc2c70f9279353bff5ba41dd927e86164b0a30b53150b32bac0
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD58d6f37b7c4f6591c2543ef9a01372a12
SHA15ead778c205750855edc8a9659ff5eab0100e196
SHA256edad8bcde8c3a82122264e00034437adb071f2da327e907d7809e21b2fabf9c0
SHA5122c3f8baa788e3c3e17b6f4be93bc2e590aa12d612ca4fc1fa36f96a1b8116f29c8163d12404b7a9d75fe4e6f35b19a165b629f696cc0a386659cd07d980d89e1
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
802B
MD53b60dfaaebc858f6f3fd5299930680ab
SHA1d435eea6eff7253bb6f3640bc6a76d76bcc54909
SHA256872e5d19fe32b395f72294946d61981fa1d8f10c04e06ea628a6275edbd5c57e
SHA512d7523f53f84e2005bdec5c367bc49061e2c61526eae4c9f29161228ce4913cef738a3a5189ae63b42feb00387ae76f662eab4cfd779f41a319494b91c11a60f5
-
Filesize
6KB
MD548ab3460bdc2d02d950349f3d1f128bf
SHA121603adf94df3b809574a8463299033016229b2e
SHA25631dbfd91d3a610f7f19ed1d61dc650535499f712e27c48cd6b087c5621483dff
SHA51244d80f1e802f8309c9a03dfde93d5af2d3ef19a33210c1faeb4dbcf28d2a3b94f8c32a1a9a91f52556669930b4edfa1efde53800fad867987e9c9ea403b42052
-
Filesize
5KB
MD584e72fa4743e3832b1653dd612da196e
SHA11429ad1cc707fbf438bcab3ef4cfd0195e0a2535
SHA2566e6f56734c446ccd2950b62df96bb0dfd60c132da24698f62e2aa28550ea7c90
SHA5128773768ba812af6ae003aea9234bc6958aa4b9a04b6a58900f76caa5290c0cf54b8b5fdbd26e980a826ef7e5722a47766b8b39dcba0fab5ca9996250e1bcd718
-
Filesize
6KB
MD5523ff6c24884d606a9ea935465e15838
SHA155e6668e2f3c0dc19b0a37ae568075a58e7e7269
SHA25625ff1d7ea3e8ffaa9d8f130496092b73e78444253bfdbbf3a4cc3e59befa563a
SHA512263944d2059154ba2c6bd80e8c52bf40328a683fd26be88ace1f22615e84f28c67653985b17e3261475849aaf0d941590c59e764bb9bbef72e80fa90b964f48d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD52f78a21c120c747e20eaf6fb74527b40
SHA166890d2c0a4e17f289c0fc272eecf43b9ce804de
SHA25631fa478b1528ff111686370fa19d88c3c4c9e5776c7dc2697b3b7d16b66fb2bb
SHA512a9b604ee0ff6518cc9995de1ad644d860f422ddd3c62555b664018543e8a58a90e796d6a25b7517bc7b086ecd88509c1ef4df43219cebd70db3ed558c9ed09f0
-
Filesize
11KB
MD51d59d9fd7acda19ae6df623f30af0d0c
SHA1eb33c97aa4cbe4fbcb811251e24743a7ee36acae
SHA25644f997f5981ce85fadea3ac5d404ebd1f41806c9e38bb3902d3ed58a79342176
SHA512e763a89cbdff3b115186de930242687777063f0345cf969e7d559615c33538ea93bfcbbe69dfa96f2f81cf130b718a4fe99ef477826f2af6c8c93ac5d1ac0d18