0c37fab5bdc0985fa8d4fa934a966b944b7bf3274818c6e6fb1db9fc4877e0c4

Resubmissions

22-11-2024 15:31

241122-syhknstldz 3

22-11-2024 15:23

241122-ssnjqstkes 5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anderson Therapy Services request for proposal (002).pdf
Size

33KB
MD5

6c6e08d4c5dcbc0fa2260b60fffd8771
SHA1

11d8b75b4076cde8fc7d9a00bc69219f3adde6bc
SHA256

0c37fab5bdc0985fa8d4fa934a966b944b7bf3274818c6e6fb1db9fc4877e0c4
SHA512

fdf436a1ed73a81868fa141e3b6dc5e3b5eab08a8db288a080be6f5e448a841f90fdf43183cd7d2728a95263f94ca9912bc308152c07757efd1f884943aa831a
SSDEEP

768:HFyaY3l4LZJY1HbrHL5JangtJX9MByC9jUYuhkbVxQb8zh/:+l4Q1Hbrr/acQyMjXPLQbA/

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exeAcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

AcroRd32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
2532	AcroRd32.exe
4356	msedge.exe
4356	msedge.exe
4624	msedge.exe
4624	msedge.exe
2956	msedge.exe
2956	msedge.exe
5836	identity_helper.exe
5836	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

msedge.exe

pid	process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

AcroRd32.exemsedge.exe

pid	process
2532	AcroRd32.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe
4624	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2532 AcroRd32.exe
2532 AcroRd32.exe
2532 AcroRd32.exe
2532 AcroRd32.exe
2532 AcroRd32.exe
2532 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2532 wrote to memory of 1184	2532	AcroRd32.exe	RdrCEF.exe
PID 2532 wrote to memory of 1184	2532	AcroRd32.exe	RdrCEF.exe
PID 2532 wrote to memory of 1184	2532	AcroRd32.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2912	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe
PID 1184 wrote to memory of 2740	1184	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Anderson Therapy Services request for proposal (002).pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DD51F4934FE5FF224081FA76F30203B2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9BBC9B9DF028AC88CF6A74523413318B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9BBC9B9DF028AC88CF6A74523413318B --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=31D4668484806BC89D89CF7D101DABEE --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50D384410AEC2EE9892D4C141A5C1153 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4348
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CFAFE430B6D97357B3D5968D48FC97E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CFAFE430B6D97357B3D5968D48FC97E6 --renderer-client-id=6 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8039481F16B0296CCC44B2487E21B0E9 --mojo-platform-channel-handle=2748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ccsa6643.ahltobaccosales.mw//@
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
    3⤵
    PID:848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:5452
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
    3⤵
    PID:5656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:6040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
    3⤵
    PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:2844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
    3⤵
    PID:2288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
    3⤵
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
    3⤵
    PID:2512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
    3⤵
    PID:5804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
    3⤵
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
    3⤵
    PID:1480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,16519504044621043812,13750738422769643048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
    3⤵
    PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://atsin6643.ahltobaccosales.mw//@
  2⤵
  PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:2636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,836210098969203340,742051200899735730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ccsa6643.ahltobaccosales.mw//@
  2⤵
  PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://atsin6643.ahltobaccosales.mw//@
  2⤵
  PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ccsa6643.ahltobaccosales.mw//@
  2⤵
  PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://atsin6643.ahltobaccosales.mw//@
  2⤵
  PID:3816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcce5e46f8,0x7ffcce5e4708,0x7ffcce5e4718
    3⤵
    PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d7e56eb0e63b42b91a33ca223877db64

SHA1
6ac481bdca55c2524dd2e038dcdfd86870a4abff

SHA256
48251296eb219a8ff53325e63a84b3db4f3558bef5e4fa875cdd131003a3984b

SHA512
66f6407d204ecd72c5e34d235f5c64d2cf7f4a9a86bccc0669196c77519cb19b1ab39a829b16a59e1ccc58bbdc936b3c8a19294653e2ac8fcf1fff428ebf3fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
ace9abdcb648b890ce5a99c5eabfdbb3

SHA1
a4a268f6b29b3891fc434c9c8ff02adf46d4b034

SHA256
349034a88c641c9f06ecd3d8ddd2fa36b4f06040651921fa92b715f0b6141d7c

SHA512
f6f904ab363603f198ac810afbbdfbab2c4bff8519a77a9e26e40b8cb0bf67dda27f2958b362079c9af68d6eff0a8385047793c2af7fea343a1aea3e76f0c661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
a791d689797ab5ad7a2046daee2b7d30

SHA1
0bb99d8435f7749457629a9b454e73ea4bf1cfb8

SHA256
5fabf87f8a9b4e2396e97ed96680b970f249ac8e95ffb5d6cc483f02e35cb12e

SHA512
4a8dda8ef60abd0fe4ebda2ca13d629b4f4c4365bf3da1c5f592a2b59a1f2af7edceb916fd2391de1b8e013f10809815845a712587e884229d8f0b1a6826a301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
5081fc2cc35a284d797cd4c2152e6f2e

SHA1
f433b49facdcf9cf7ae95fdd27b85cd557fde864

SHA256
d0514331971c3191424c9e12e2a7a7e767d26ac69692a82124c7c2df920c09a0

SHA512
0ba115dd183513258412432039ff915730e94626634554d763d9b89d04abec5a7cd6cae289e9325d2ba818752ce38bf5324c280bfc098d15e49abdba7b21129c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
00e39b2bd4ffd8c8380d68b2cdef2745

SHA1
70897626ebf58d1910b7f1f88ade42695747db9e

SHA256
96fdf46fc44270962c4fc1454b179915b61dc31acba2d76b386fa350389c290a

SHA512
d5d85de6d2e1639c8035a94889cd0a37bd16494b6c7bb9473f395bc67f53ae99ce57a88a5fa8a476641b7509cba122ef7209163573c21f7952489c267bea1abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffbe87a626288fca08267233ab7d15c0

SHA1
3c704149c2a0fc864d020eca4477945c4dbe2a14

SHA256
eac603bfbfab45bb1479d6c512b58ac6ef0ad5a8b7b4ce9d9b34a0a95d7c278a

SHA512
dbcaa149a71ca4eea84a850cd08ca07fc93c5611de97cad5e89ef3297b2d44ed2f53eb5eb041ad0037af08cf4760bce9b5383e0bf8016b1eeb3395c8a48fd1d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a965698abdc2e7d888bedf08ea7675fc

SHA1
bf97330a5aaf16b0f136de64465fffbb73364193

SHA256
562bab5e9f9f49bf6c303428b759bd198bdbc725678a532692ce003c67840720

SHA512
d093bf8a610af5bd728fbe674ca08c86d9786475f181bbdcf098e823868d271b42e6af01392ec897dd65331e104169d56bd7ea147ada18dc5b5e84b597c7a504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9a77d09bbf8361e5fc1e2fbf94e46823

SHA1
b9d873c6890fdef6f1d3eb7f74334f160c799cfc

SHA256
ce486c8db0c98e3217ba1b7f000d6c49fbea0e68b804e99a45e1947139425ee5

SHA512
33741245e8f06de39de68a2579d377902c92b5924b57562730df69c1de5a48fb5190aec19c29d99b4077ec01bea5ccce351cd3244a067a6f7bfb28442d51d799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32586ab08712f9880e294c7a767f7e04

SHA1
7203b5a91322d9ab73212c57476068f63cbb3dba

SHA256
c024e039c2d31db9cc33f1a673a0ea34de924eabe6d2971572431fa3eee2240b

SHA512
c05ebd333d1e459dbb11914bc8345591531b390734e549f39f54af6cd3d88d98195b712eef95f6c45f50568c524f57fe75e2ae478cb5c77e94dae2ba7b449653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5287583b5d89905e5e6ea507cd3e6a7

SHA1
66c82e7f2bb7b31550d2009b199d8bf6820021e5

SHA256
646515cff2ce72cc6b411c3f34b794258cc6bc42ce66325b9357b9ac21edeb0b

SHA512
41c661d78f3a276ed70f343978d2cb4740e64e47f50e539ab10376f9dd8160b72187a595b6f4bf74b3670226d9cdf30362d1a0a247614244d183a527c55b1951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
30f4365c0748a88c97594cc546121832

SHA1
9a2223abbf646cb864b8ab62b8ff164bbbdac8a9

SHA256
b4f8f0deb4b36578b9e49837528c0138fb4f40e0a3281630f665c006677f433d

SHA512
ebd89e5c833f00de92aee834cf63013e8ca8631eaee6eb03df65dc0338df6801cf344a5818f96aaeab7188cab11307619e8e7a246f75781b15efe4b3ef613ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f8b3a451cbb5eba7102eeeffcb777c5

SHA1
5023f45ff6a5b02296c41f065c697fa21bd924ac

SHA256
20bc85618fab25230ebe2e3fb7e6a3140e6e00dac071386d94292ce4591cc1b4

SHA512
642c10e8a0f08dc2ac7f015d6b42cebac56a25a37ffaa6ff1cf5f06be41ec9cb631585e17b2ea34e5da644823913fa026f177fc5500393bf659496311ea0453c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ab4e.TMP

Filesize
538B

MD5
fa267554890f2e47f80355cebaccaae0

SHA1
6a264f12df32760520b36320865c7c554664d879

SHA256
76841f600b27e5368f3a9d2d5b3cebb619cb2f3441b76f117d5fff1b02945f32

SHA512
e688594bf9210dd84270e0150c16678a9cdda05b40abf02c0ec73b71742f13d4f40df86406a9a1464201f2ddf7e8a714a64d0336e20559437ae59a50fd7a9bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d4ab50d5246f2ddf7f6fb08b10e734f2

SHA1
46fa23384c859c622f36ab7b2c3dfa701b3e242c

SHA256
bddcde079a3b26c2e4661e24a964915fb58c78e61c04d4e231ebcd4d87c9a3fa

SHA512
9d04ef08bf3d496aeac982461b1474104596524e0f8711c573f3a684d468470f7527fa85f0c1d9250c7755230f2c66ec0bd9783b911ca3c7f3fc5af9c253a901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8705a2fce78a633be9effff1ca0901bc

SHA1
9610505c9670579a1d498fc3abbbd4302897292c

SHA256
ee2a8740a2d21de83cf8be5470630f0467b658cdcdbf96a6928042e5977956b2

SHA512
a0cd86a9500c08c4b407fb9e6362ccc67003a548678c4588c1eb0ac917518549ee10a3fa305eab926cc17fdf11bc0be337655e74e45f250d869562a37f944e37

Download Submit
\??\pipe\LOCAL\crashpad_4624_VWIATXPANUWKLQUY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit