rhadamanthys | hxxps://onclickscan[.]trustifi[.]com/api/o/v1/scan/link/fff5a2/32041f/3bc40d/ec3cbf/5f1343/10c663/a5979e/94ea1c/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d5d97f/c435d2/d19cff/bfae51/7041cd/90daf1/a14a50/f10c17/6bd0e8/f28010/4f8d78/32dbf1/99b6a6/c4409d/df2101/8d1e64/9f343b/7a0113/a93555/337b16/390a2d/363b4b/ffd857/8ebee8/06f0e6/3027c1/967a0e/e5d64c/bc8dbc/3f56c1/992728/930173/7b2b97/5d435e/fd50f8/c17328/efcb35/6b4f94/dc1782/44fefc/e08595/565c83/53ad7e/8fa15e/c76d6f/fe774f/5e2b2a/facf53/038569/105c43/03ced9/d4eb24/2954b1/b0ebba/76f911/188165/a0df10/2520ba/8e5fc8/da997b/03440f/f4a246/49bf33/a1b5f4/e69e1c/8c74f3/2b5fa2/e24888/8befcb/1b77d8/5ab7a7/7ca169/a49ec0/4f2614/436903/594f88/a010d5/56444f/131d38/435ee1/f6017f/0c8f83/af5d66/6539c8/ba35a5/614e2a/202065/1e442b/1ce752/4b5c66/5d01b5/1f0417/621884/535815/2f3b79/5248e1/a0638a/78ce8d/25e80f/a68193

Analysis

max time kernel
258s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://onclickscan.trustifi.com/api/o/v1/scan/link/fff5a2/32041f/3bc40d/ec3cbf/5f1343/10c663/a5979e/94ea1c/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d5d97f/c435d2/d19cff/bfae51/7041cd/90daf1/a14a50/f10c17/6bd0e8/f28010/4f8d78/32dbf1/99b6a6/c4409d/df2101/8d1e64/9f343b/7a0113/a93555/337b16/390a2d/363b4b/ffd857/8ebee8/06f0e6/3027c1/967a0e/e5d64c/bc8dbc/3f56c1/992728/930173/7b2b97/5d435e/fd50f8/c17328/efcb35/6b4f94/dc1782/44fefc/e08595/565c83/53ad7e/8fa15e/c76d6f/fe774f/5e2b2a/facf53/038569/105c43/03ced9/d4eb24/2954b1/b0ebba/76f911/188165/a0df10/2520ba/8e5fc8/da997b/03440f/f4a246/49bf33/a1b5f4/e69e1c/8c74f3/2b5fa2/e24888/8befcb/1b77d8/5ab7a7/7ca169/a49ec0/4f2614/436903/594f88/a010d5/56444f/131d38/435ee1/f6017f/0c8f83/af5d66/6539c8/ba35a5/614e2a/202065/1e442b/1ce752/4b5c66/5d01b5/1f0417/621884/535815/2f3b79/5248e1/a0638a/78ce8d/25e80f/a68193

Score

10^/10

rhadamanthys discovery persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 5264 created 1044	5264	视频和图片资料被盗版 - Music Plus.exe	51
PID 5744 created 1044	5744	视频和图片资料被盗版 - Music Plus.exe	51
PID 2864 created 1044	2864	视频和图片资料被盗版 - Music Plus.exe	51

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\FirefoxData.dll,EntryPoint"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

pid	Process
5140	视频和图片资料被盗版 - Music Plus.exe
1452	视频和图片资料被盗版 - Music Plus.exe
1180	视频和图片资料被盗版 - Music Plus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5612	5264	WerFault.exe	125
5636	5264	WerFault.exe	125
4932	5744	WerFault.exe	136
5976	5744	WerFault.exe	136
5760	2864	WerFault.exe	157
5884	2864	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	视频和图片资料被盗版 - Music Plus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2748	msedge.exe
2748	msedge.exe
3852	msedge.exe
3852	msedge.exe
212	identity_helper.exe
212	identity_helper.exe
5524	msedge.exe
5524	msedge.exe
5264	视频和图片资料被盗版 - Music Plus.exe
5264	视频和图片资料被盗版 - Music Plus.exe
5512	openwith.exe
5512	openwith.exe
5512	openwith.exe
5512	openwith.exe
5744	视频和图片资料被盗版 - Music Plus.exe
5744	视频和图片资料被盗版 - Music Plus.exe
5316	openwith.exe
5316	openwith.exe
5316	openwith.exe
5316	openwith.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
2864	视频和图片资料被盗版 - Music Plus.exe
2864	视频和图片资料被盗版 - Music Plus.exe
4436	openwith.exe
4436	openwith.exe
4436	openwith.exe
4436	openwith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1776	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
1776	OpenWith.exe
5268	AcroRd32.exe
5268	AcroRd32.exe
5268	AcroRd32.exe
5268	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1236	3852	msedge.exe	84
PID 3852 wrote to memory of 1236	3852	msedge.exe	84
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 2748	3852	msedge.exe	86
PID 3852 wrote to memory of 2748	3852	msedge.exe	86
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87
PID 3852 wrote to memory of 932	3852	msedge.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1044
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5512
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5316
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onclickscan.trustifi.com/api/o/v1/scan/link/fff5a2/32041f/3bc40d/ec3cbf/5f1343/10c663/a5979e/94ea1c/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d5d97f/c435d2/d19cff/bfae51/7041cd/90daf1/a14a50/f10c17/6bd0e8/f28010/4f8d78/32dbf1/99b6a6/c4409d/df2101/8d1e64/9f343b/7a0113/a93555/337b16/390a2d/363b4b/ffd857/8ebee8/06f0e6/3027c1/967a0e/e5d64c/bc8dbc/3f56c1/992728/930173/7b2b97/5d435e/fd50f8/c17328/efcb35/6b4f94/dc1782/44fefc/e08595/565c83/53ad7e/8fa15e/c76d6f/fe774f/5e2b2a/facf53/038569/105c43/03ced9/d4eb24/2954b1/b0ebba/76f911/188165/a0df10/2520ba/8e5fc8/da997b/03440f/f4a246/49bf33/a1b5f4/e69e1c/8c74f3/2b5fa2/e24888/8befcb/1b77d8/5ab7a7/7ca169/a49ec0/4f2614/436903/594f88/a010d5/56444f/131d38/435ee1/f6017f/0c8f83/af5d66/6539c8/ba35a5/614e2a/202065/1e442b/1ce752/4b5c66/5d01b5/1f0417/621884/535815/2f3b79/5248e1/a0638a/78ce8d/25e80f/a68193
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e53846f8,0x7ff8e5384708,0x7ff8e5384718
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5526217165381371661,14726938402955909637,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3988 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5896

C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
"C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5140
- C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
  "C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 460
    3⤵
    - Program crash
    PID:5612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456
    3⤵
    - Program crash
    PID:5636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3280

C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
"C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1452
- C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
  "C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 432
    3⤵
    - Program crash
    PID:4932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 428
    3⤵
    - Program crash
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5264 -ip 5264
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5264 -ip 5264
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5744 -ip 5744
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5744 -ip 5744
1⤵
PID:5964

C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
"C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1180
- C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe
  "C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\视频和图片资料被盗版 - Music Plus.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 432
    3⤵
    - Program crash
    PID:5760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 428
    3⤵
    - Program crash
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\FirefoxData.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2864 -ip 2864
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2864 -ip 2864
1⤵
PID:5788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1776
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\视频和图片资料被盗版 - Music Plus\SensApi.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5268
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=558A6BC19A7A5EA9005C8575C3A83C69 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1744
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D4DE8D11785474C1AB68DA9BC14E89C7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D4DE8D11785474C1AB68DA9BC14E89C7 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3236
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DBC11FE1276D8355EADA7D240E8A68E --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5144
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8838BDAE84D367D6CF7632B8DDAEC7F8 --mojo-platform-channel-handle=1960 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1CFE121B3276F2021660C6B35B4E61D6 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaaad45aced1889a90a8aa4c39f92659

SHA1
5c0130d9e8d1a64c97924090d9a5258b8a31b83c

SHA256
5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b

SHA512
0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ee50fb26a9d3f096c47ff8696c24321

SHA1
a8c83e798d2a8b31fec0820560525e80dfa4fe66

SHA256
d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f

SHA512
479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
13d6f92937d07b9667abe901c9a85cc4

SHA1
9934a0d78ec0d5594127f0fea86f3e2a737aabaf

SHA256
3dd5aa91342638a5bbda0cd8d99d9def770c33ebb5a4e7b527f69d771fba8088

SHA512
22310642dfe52e7abcd8f2e19ddaeed54714c3c2e7248526b5f6500a3853d0539067118a0f225fc980363722b01047783d46e3a75001453dd9ea5af909077667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
609B

MD5
861fffd78576fe806867ab650fd7ab66

SHA1
30571919c2520fb51ee4afb44f732433284df823

SHA256
a36ff28692cc25b38633a3744ff7df1d33dd294c85d9824a9b2653ef4a8f2265

SHA512
e240c08429d977568575dfb39b24272e68b1700f9a5d5da820943ca64c0576e155c0bb22bd9abcee0de34283c19f51af77220d768a9c0a6c8cd1284318cec047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52e4572b2db25b632348bcb45c03cffb

SHA1
b846f48912e4b60365025dea843aee55bd838d8f

SHA256
89eeb8473de9782b3d4798db422e6a3ae4496d66b02f4594a66cfa4ada7eb78d

SHA512
e1b40bde9aa2ea8abdac88ef83298ef6f22653e0c2c24c18792dba6f15bfc1cd1bd3038846fd59ef639f27a0071d44c3f9bc2b72bfee0b13c6067f95013aee1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f092431479ad540c2bc71d6a5ccde0f0

SHA1
dc07c6b5f126ccd6507412df4fd93943cf6fefa6

SHA256
761202448c44afad48cfd08548b5af58182f0a616997cea5917339ff600e32e6

SHA512
714ec1efe28e0657ff6672299bee4e33ac2e142e964adf2c6736b16330286ee6f9b6ece9e4949e2d21d513a33b7d6a40ad749681398e9d5503dc0f01748a9f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
737615d94b1a536915363a9f0800dd01

SHA1
90e5fe128592503870b60b5d188b43dfeadffa30

SHA256
ac114bcfe3803b7583fde72cc99ec1db831e886fc3b3e857f4e19eca2267e61f

SHA512
3b46a23be00c918226577bda455cdd686c8f44faafe9bfcac5d27c9a7869d78963e635c2e3510bc4dac0d98c3f94523fe07c0858d5ae66ff9d07b0884d9d25da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1a863e4d5ccdf9bb5c5bc777936e17a

SHA1
2937bcc06b9013ab4a529fb3046feea5b014a9a5

SHA256
f1dc2bb5d7d476d96f62998b9443da9c77ca9229f93e0b080a49f056b9fb1aa9

SHA512
e28c7a31862faa682dc2d65a27acbf7937f745f4f44802cbebe3fc390c021f59309964e237443da3cd7e4426b22f53349d1e025d8ecaba2969c11ead7c26f58f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b792041f0c7d8e83c24e446af09ca23

SHA1
e8602f6e71cbe419c76648da334638b00eb24596

SHA256
9be509a6267bc4d326b8858db2f0dee82363866d3d53c63f59f6a9187e5380d4

SHA512
4678a31a44b589103f7491f5f5742db60cc3ac2a35e17614265fad3fc77dac0d46a7e30fd523e4b7ae5dd159a04abe8c27b908f9c07c378928b2768e4dc46cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
73d2a05e8c6a122688ade8e178c5daaf

SHA1
18b37f96c501328f9e8d5ddeb777d7599e040f33

SHA256
a7cb2a313fd14d47f60d5fac105480f3379921a20863845873d871ff9d1dd0ad

SHA512
b5d1bbcca50a3cf10afd0e911ba449fe563e4502065a1bb698c2234b645ed12e7fca594fd4cbf48713d7bfe38f239de44f29291fe76ec558d4e2fb3e1f8d0903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fccf.TMP

Filesize
203B

MD5
df64d6b4e228e02790a1da89314b5804

SHA1
024ef1892e1d0e8f505d390315237f3cf8a6a3d7

SHA256
d4ef381f3da443cd14b5562fd18e2235a7e755fee66e7bd4c7182be670373c8c

SHA512
2d4fae780316bb6d04a51ee6cf65b1e0b01fa6e6e7dac95f897bbcdec6149af37381123c008c8a411b8674050687b0764bb5e999b86fc94732d02b4475341ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ab80a45b991096a1efd88d6781b76050

SHA1
406139ba705eac2030614cf2f40ad2ef5c2ff6e3

SHA256
6c26301351768c4c7810048c821e84708d07ea6b436229982d475a77a60a2a3c

SHA512
29b36b1a1faf133243a97cce6462a317064e9598b8b6222ac25c90541e26a6465d5267c0fd2c0d5203d73aab80c1feba524fa305d2d7882cf00ab34a71991583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9cd78dd9f25e690820f68c944ce3f85b

SHA1
3e9d60604ee69d7b308be79b438fdcaf20f3f4ab

SHA256
9f04fd40402191e5b4792c068406b6456922589a8392c3c615fc5354b309d43e

SHA512
fa9c65324b359e8ebea0384cb5046b7442bc0b3d7233050c00d113b761e7193258e999f5dc4dbf392c20e43afb073021537ab5112d1ad572aea32799f2763e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
afc26c8846b58947ae6e9a5c9532bec0

SHA1
b2d56fd5621f4ec5e6a8adc0e22297b237e52723

SHA256
00be5d9d653d47b8434b80a85a859aee23dad18d1822473be757c9bc915dacdf

SHA512
46dbb95b17fbe7d66080fe8af21cf8b2bcd19f201bc000f0cf1114e8c1ad65f76837a9525440fdba2958ce755ecb428edea8ec1e29bcdab6fc262cde85b3b29e

Download Submit
C:\Users\Admin\Documents\FirefoxData.dll

Filesize
892.3MB

MD5
6c26e507e44fb48d76cceb89dc4e4144

SHA1
3fe573488c511be63547b7b700334bc569912b83

SHA256
68815681a6c74325656a8dbda6674a27ec26626a4d2691a2977a1fbd02446b76

SHA512
a52ab132b68b5df6bd6f227740656bbdff0e76bad92bcdd14821b3482fee9652092d9de680f58ad643610859539c53102b27b6bcf6f26eda79cd567a712747bb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 855060.crdownload

Filesize
1.4MB

MD5
f1b00142524ba8a4ddc691388a5020fb

SHA1
eaabba82a1c6689eb07ff4629daed8bc153fe42d

SHA256
4b33219c5cadb4d741044874f6f0184d45f43891d28ad5b489716d4da21310fd

SHA512
97ef7b89461a18a09adb5de37605e385c7bb5a2143f6df5b413747f78517fe032632adac51ddbe35b6904a7a306eabc1bfe67474a2cdf16e633c73b0bd0e9570

Download Submit
memory/1180-234-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/1180-231-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/1452-203-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/1452-200-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/2864-238-0x00000000040E0000-0x00000000044E0000-memory.dmp

Filesize
4.0MB

Download
memory/2864-239-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/2864-241-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/2864-235-0x0000000000F50000-0x0000000000FCE000-memory.dmp

Filesize
504KB

Download
memory/4436-245-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/4436-247-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/4436-244-0x0000000002AE0000-0x0000000002EE0000-memory.dmp

Filesize
4.0MB

Download
memory/5140-159-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/5140-156-0x0000000061510000-0x00000000616F9000-memory.dmp

Filesize
1.9MB

Download
memory/5264-192-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/5264-189-0x0000000003B30000-0x0000000003F30000-memory.dmp

Filesize
4.0MB

Download
memory/5264-190-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/5264-188-0x0000000003B30000-0x0000000003F30000-memory.dmp

Filesize
4.0MB

Download
memory/5264-160-0x0000000000D60000-0x0000000000DDE000-memory.dmp

Filesize
504KB

Download
memory/5264-157-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/5316-216-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/5316-214-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/5316-213-0x0000000002050000-0x0000000002450000-memory.dmp

Filesize
4.0MB

Download
memory/5512-196-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/5512-198-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/5512-195-0x0000000002050000-0x0000000002450000-memory.dmp

Filesize
4.0MB

Download
memory/5512-193-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5744-208-0x00007FF8F4C10000-0x00007FF8F4E05000-memory.dmp

Filesize
2.0MB

Download
memory/5744-210-0x00000000765E0000-0x00000000767F5000-memory.dmp

Filesize
2.1MB

Download
memory/5744-207-0x00000000038F0000-0x0000000003CF0000-memory.dmp

Filesize
4.0MB

Download
memory/5744-204-0x0000000000AC0000-0x0000000000B3E000-memory.dmp

Filesize
504KB

Download
memory/5744-201-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download