Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
23/02/2024, 16:35
Static task
static1
Behavioral task
behavioral1
Sample
.gamingroot
Resource
win11-20240221-en
General
-
Target
.gamingroot
-
Size
28B
-
MD5
4e2042aabd9ff2d19007754d03b09229
-
SHA1
a8bb3f9491ee357df22e000cb2b380def473a8cb
-
SHA256
44358c2aef7d41aa55758d909041c9b1a3ae050c44466dadada33bdffdda34aa
-
SHA512
0d24fe92daf9396a52ac22e309af94e4f8cdf73d5807fa199e1ccd774d61fd24ba79fbf89fbfa6cd3d1a24bd17615e0fdfdd0cdc32fa92a303b2eff09a7be511
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 2016 Winword.exe 2016 Winword.exe 3256 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 3416 OpenWith.exe 1136 OpenWith.exe 2348 OpenWith.exe 3256 OpenWith.exe 3916 OpenWith.exe 3256 vlc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2644 firefox.exe Token: SeDebugPrivilege 2644 firefox.exe Token: SeDebugPrivilege 2644 firefox.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2644 firefox.exe 2644 firefox.exe 2644 firefox.exe 2644 firefox.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 2644 firefox.exe 2644 firefox.exe 2644 firefox.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe 3256 vlc.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 3416 OpenWith.exe 2644 firefox.exe 2644 firefox.exe 2644 firefox.exe 2644 firefox.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 1136 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe 2348 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3416 wrote to memory of 4696 3416 OpenWith.exe 80 PID 3416 wrote to memory of 4696 3416 OpenWith.exe 80 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 4696 wrote to memory of 2644 4696 firefox.exe 83 PID 2644 wrote to memory of 396 2644 firefox.exe 84 PID 2644 wrote to memory of 396 2644 firefox.exe 84 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 4108 2644 firefox.exe 85 PID 2644 wrote to memory of 2480 2644 firefox.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\.gamingroot1⤵
- Modifies registry class
PID:3624
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\.gamingroot"2⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\.gamingroot3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.0.1541148521\510965009" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1796 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07231c92-4a8b-4bb6-b5c0-80a8e2d05f89} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 1904 20e92ef0758 gpu4⤵PID:396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.1.1708789991\1757511021" -parentBuildID 20221007134813 -prefsHandle 2272 -prefMapHandle 2260 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f05eab59-eed5-4503-822d-3f391700874a} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 2300 20e86e73258 socket4⤵
- Checks processor information in registry
PID:4108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.2.1404184586\1399422299" -childID 1 -isForBrowser -prefsHandle 3312 -prefMapHandle 3308 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3653d985-8355-40b9-ad53-5e7b69a27302} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 3320 20e98242958 tab4⤵PID:2480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.3.655111486\1708183946" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ca3c3e-eaa2-4618-a99c-734d40a382e4} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 3508 20e86e62058 tab4⤵PID:1072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.6.1533289182\526809906" -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {093f448f-faa7-4ae0-9bc7-6f1565d0d602} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 5384 20e9ae41558 tab4⤵PID:3476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.5.1636821568\867916969" -childID 4 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef78440f-dfa8-4292-ab10-25bd48f40797} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 5192 20e9ae3ee58 tab4⤵PID:2992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2644.4.858068843\257495542" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 4424 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cec87e02-82d8-4e2f-a715-bda1e4df5847} 2644 "\\.\pipe\gecko-crash-server-pipe.2644" 5048 20e9ae27658 tab4⤵PID:4604
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\index.gamingroot"2⤵PID:4556
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\index.gamingroot3⤵
- Checks processor information in registry
PID:412
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2348 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\index.gamingroot"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:4872 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:2400
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=94BC416DCE3FFED4BF57B6210259DB1B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=94BC416DCE3FFED4BF57B6210259DB1B --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:14⤵PID:3140
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC6614798D6383CC4FC7E481FC328B68 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:4232
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=141042B0B3D8A0FE8F7C17D5BB141B5A --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3844
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5544636A9B2E419274B4736811F92637 --mojo-platform-channel-handle=2120 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:1336
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DBC01922B253CDFAF7CF916CF7B2DF73 --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3316
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:412
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4940
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3256 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\index.gamingroot"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
PID:2016
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3916 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\index.gamingroot"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD59d15d23d21935aea0119457de3068bcc
SHA1e4244c24f817f08e57dec7e4c016aadbfbedf843
SHA256a2d2cb6c3fd2a7fc965c6abb0740ec8de38c4bf3b60c0c662be76fd71e9c35ce
SHA512b24a918783b997b1ba966c221dee991bf0605baebc3f993a2cc5410fe65a322efdd58dabbcb5e57a39cf6c4e9cbce2c08bba16e954dfd1a93e3a5db0997d78b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51784a5f8b8d618000c64e324f93ca9ff
SHA148a6cd45ca66fbc3d7d1e54da879b3d6c46f113c
SHA256b2aba28abca24d9442fec7723eb7f5771ae78d0b749a0d701fcdbe2d236d7c30
SHA5124ffb17369c8361099b77a267f5809994fc271c97b96ce01b6b1b4699c63a1137db3e8defbd3c6edd5a4429ee27cb1979853ea8337fd786840f981c5bfd01f1e5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\61f40651-2ec0-4ea4-830c-b04bd80ab4ae
Filesize11KB
MD56564e6745eefa27b0c56cfad075f40c6
SHA1510844f6a92b5254bcb1b4f28614530119bfff67
SHA256b88dce67327a624f124f423fcfdfcd0c146ddb482102f8568c4d9abcff75207d
SHA51287a1b51fee269119d4e05523f9e84f589a21323521613fd521c90334d750b2e76263410d24459935a410eff6440b587266a036d321a4dc06e9cc1966f578afb8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\datareporting\glean\pending_pings\9b99fc80-0a6b-495c-8761-cd3c30a63768
Filesize746B
MD57170c8078dcd3bc701afcbdd231c3f71
SHA1f13cfd797640d217389651a365111cd3f4fce8f0
SHA256af233e592435402351bb01c10852aa03b9f15fd5d07f3cf7c848f08f717ea0e5
SHA5127d86b0ec5633908a0b3cf6bcf31841f582161d13aad259087080d683819597a9a52f10a12cb6a83055dcf5ca8bd208a3e7e4c15ed8d9ccab779ef826e2af4083
-
Filesize
6KB
MD5637567a6feed579a1e0fb76f5409c830
SHA126a7c25b16b800a5f89fc2cd0cded221671b4f49
SHA256a2ff945753ba25c10869f5440b2867f2613bb813f767d10a8f47709b42c49a5b
SHA512757214b96a4eb249b969804945b6c1f8c731b76bd1d2c21ce0223091cde74836a5390a07a3613fb9644b55b30b29ddb8fe5553c7edd4f9bc3dc218767c99ebbc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD54529533fcb0bb824805827dd1903a2a4
SHA18d8bba35bddf33b01bb9aacb3bc483083f246325
SHA256c39d023dcdee77695d1734d265624d3fffa69d6309d238ea8b2f8dfcc9b3c317
SHA51258d136b2ce2231aecfa6088c946237644beb39557c9dc0f84d88c4ab00b699fdd6d9f11c23957c777f4b2cfe6729eaf5831a61d7a8fd60a2cfbf1cd5f0011a5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5bcc42ff47e5e941fa0c7e2792f3e4792
SHA1320d8b9ea2bfc4c98be4c8f08970299ff14062b1
SHA2567ae2aa20c10564f8fa9d238e9827269ca39c4803855d77acaf663de94eeedb75
SHA51255ea525deff19e75d19a02c9c0370de47a42346150011244b0c8501f2ceb84dbcb90281067c503f9480eb23e2989bf7c10a75620d8733f59d452f32f752dec0d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ri34bmyn.default-release\sessionstore.jsonlz4
Filesize728B
MD50638c8008bb80a0459723f52e1595d7c
SHA15843bbd2477e9acd05bdba51ad9019ec60daee8e
SHA256b30f573c65c7f35a2ef98ed7ae554773da7455cbc1d55ddbd48e06d5b13170aa
SHA51232f3ec0cc421cb5f4003dbdbd9b3328ed973001a609cb4351a1e7942dc49217f8b3ca30afc26139c648138cb28a13e0ae2e55913aaf6de2fd63a4fd6f550ed4f
-
Filesize
79B
MD5d747c6cb8d4cda3fa6e90f853d17fbb4
SHA1c79f91801cefb6e39a478456e0bdac96576ab8d4
SHA25647bf47c6533dbcb98484117975fb702b4fd9037f850b849b2df3012daa8c28ad
SHA512b2785c5fb0677dd677ebd0f2ca81c40cc2e2798c100749b064763868ce48860a6877acc8a4391919752666d6acb0597ca761357c5a433ff1d2a6a1eac41c23ba
-
Filesize
18B
MD503f039bb2dfd8a0ed44760130e10f9f6
SHA1956d86918c06912fe41c06735cfe3706f721ea96
SHA256a1685834a0a99bd1d94eac822ab16fec9f2676098ad7b71423bc71d4bb7873c5
SHA51285fdbc7db2932a269998aa86b8e4ecb75e346a8414f118299417317ac49119ec3ac88212669141af02e1cc63a0e7bfef2473f3e50d170cddb08dcac8bb565abd
-
Filesize
28B
MD54e2042aabd9ff2d19007754d03b09229
SHA1a8bb3f9491ee357df22e000cb2b380def473a8cb
SHA25644358c2aef7d41aa55758d909041c9b1a3ae050c44466dadada33bdffdda34aa
SHA5120d24fe92daf9396a52ac22e309af94e4f8cdf73d5807fa199e1ccd774d61fd24ba79fbf89fbfa6cd3d1a24bd17615e0fdfdd0cdc32fa92a303b2eff09a7be511