Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/09/2024, 12:40

240909-pwdxxs1akf 6

09/09/2024, 12:32

240909-pqyedazfqb 6

09/09/2024, 12:23

240909-pkwnlaxejk 6

Analysis

  • max time kernel
    450s
  • max time network
    451s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 12:32

General

  • Target

    https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3344
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84d6646f8,0x7ff84d664708,0x7ff84d664718
      2⤵
        PID:3840
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
        2⤵
          PID:4828
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4692
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
          2⤵
            PID:3500
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:3404
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:1584
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                2⤵
                  PID:220
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4428
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                  2⤵
                    PID:512
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                    2⤵
                      PID:1700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                      2⤵
                        PID:3052
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                        2⤵
                          PID:3556
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                          2⤵
                            PID:3900
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                            2⤵
                              PID:1512
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2612 /prefetch:8
                              2⤵
                                PID:4252
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
                                2⤵
                                  PID:4684
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6764 /prefetch:2
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2236
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:3984
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1248
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4060
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:4524
                                    • C:\Program Files\7-Zip\7zG.exe
                                      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11572:170:7zEvent31287
                                      1⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3760
                                    • C:\Windows\system32\OpenWith.exe
                                      C:\Windows\system32\OpenWith.exe -Embedding
                                      1⤵
                                      • Modifies registry class
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3644
                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage.rar"
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        • Checks processor information in registry
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4536
                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3596
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B01AE3074588643B79B8D8B7F48884B --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2948
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BBCA401E9D83D042CA6A629591F1E810 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BBCA401E9D83D042CA6A629591F1E810 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2716
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C35C12E69399573F383C5334A6D06BAC --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3804
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EFB3BDD8A203506683C5538841D5B7A --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1044
                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0220C048BE9AD2C422B8D80C583C757A --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3960
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3472
                                      • C:\Program Files\7-Zip\7zG.exe
                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26503:170:7zEvent19025
                                        1⤵
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:512
                                      • C:\Windows\system32\OpenWith.exe
                                        C:\Windows\system32\OpenWith.exe -Embedding
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3312
                                      • C:\Program Files\7-Zip\7zG.exe
                                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage\" -spe -an -ai#7zMap21688:170:7zEvent22861
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4088

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        e4f80e7950cbd3bb11257d2000cb885e

                                        SHA1

                                        10ac643904d539042d8f7aa4a312b13ec2106035

                                        SHA256

                                        1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

                                        SHA512

                                        2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        152B

                                        MD5

                                        2dc1a9f2f3f8c3cfe51bb29b078166c5

                                        SHA1

                                        eaf3c3dad3c8dc6f18dc3e055b415da78b704402

                                        SHA256

                                        dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

                                        SHA512

                                        682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2cd1e519-22e5-47ab-b6cb-6351880a00a0.tmp

                                        Filesize

                                        7KB

                                        MD5

                                        e26d3aec65c9e817d89101261e1f0a24

                                        SHA1

                                        55cd2529a25475ad5f791e8f5d45f725f0144ecf

                                        SHA256

                                        acc7e2395aee4a5187b97cd1867efd38c12540afbdb9c20493c7363a1c1c3468

                                        SHA512

                                        4f3cdf126c67371ca514f457e5ca0ae9a7644a8441e903554b0fb820a75aff94bed910ce7d87692a3816b389fd29310b15022bbc4ab10476b3ac1df30be576b6

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                        Filesize

                                        384B

                                        MD5

                                        d8ed0a1e45517014b71196909c983d49

                                        SHA1

                                        59ddd46ceb6fcf80666315bfbd74a6f6655e4954

                                        SHA256

                                        1aaedd32b8c7cb39e83dc40e0e168fbe90daa06a12eefac3f29572fb1cd90709

                                        SHA512

                                        a1adc30c7fd4c311d69fa8e9a49fc39b5a9fe4d353616e90e7b75a71764b76e51a0ebb64835458e3f3df98932f42372fb1ce009cce2d86a802007944b2d46c0f

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        3KB

                                        MD5

                                        026fa36fba4480f38a024b194c46ce22

                                        SHA1

                                        bb564809954bbb78b3a9a8a706c480f6f7241df1

                                        SHA256

                                        53ca700627df0bbdc4d1a75779d30d4ec888cafa14f56e382ac62e50b30930a0

                                        SHA512

                                        0cbfb8c1e7cbfdc929696a9ebc205f0e88548b7b680178106802b2bc2e92097239b5652ead116b3ced3404fe3443066713b9aebdef94023f06d16b218d6d305c

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        3KB

                                        MD5

                                        494e648e1513edd5a499903721d7306c

                                        SHA1

                                        ad36e95ffaefdd8264d653d537d2f0f32f5883be

                                        SHA256

                                        70298ae0a13a54d90c71e0db9acbfe7013e26c16997a21aabef3db0e174909c2

                                        SHA512

                                        d6278113e0043647a5d5201806f06c1a9df154f9ab7337bd8fc1fd1f9cb6c8ae156729a25fa32c2f926d007667cdb70c381b352369244a374e04d7687f03cdfa

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                        Filesize

                                        3KB

                                        MD5

                                        20a8d0264ae140ab9c7cfb6e19dae8ad

                                        SHA1

                                        c157ef45e529607cba5d8a326d936467eded2d8c

                                        SHA256

                                        7d2c31a4639b0439d840ef2d982748e2f736a2fd76a600abaa412475766e384a

                                        SHA512

                                        3d30e2caa463a36099a58b225b59382767752a6f54874b39c74c413b658b86bce0d13215bf7c35ae413f7c118990aa93c34b86106c53b9489ef1b7cfb1246fab

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        aabd35e163ad96bf591bdefa464b2287

                                        SHA1

                                        96072459358528a0573c6c3151e51e3bc7a8f08b

                                        SHA256

                                        f26fab972948183780e9024c6f0e6961553803d212376c1b6f531c7ed2649b84

                                        SHA512

                                        178eae0a9d51bed6a40f10bf7304849ce6479afbc978c09182b798a2f9b01127e16a2dd65f062e951c7f8c0b6e7670e02eb7c2cc6fb01658cfac07315efcf4a8

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        66c0c1c7ce646640861285a8aa867c43

                                        SHA1

                                        32805e8b64557088d73b029f63259d03f544904d

                                        SHA256

                                        8faaeb9e5f3f3e3b95587343c5c221e3e4192ecb0908f11af5ed42095cab6102

                                        SHA512

                                        c51c5c5e3057591b2a9fdd1240e1aff808ea4adf36d2d0d36b49ff6a576cafaf74684ae6cbfb5dbbd0048654783a4f84d9cc775f55d2bbd6f426a69111f78dc7

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        6KB

                                        MD5

                                        0f87fcd57040ce54bf9c767e76565a31

                                        SHA1

                                        2ac13808ea6815c1ad711cdfdac45bd7d022e18d

                                        SHA256

                                        c4b75a3f9bb29588342459aee91e6c8f2fa4664d0d042dd9247eb74f019d669b

                                        SHA512

                                        3f480c78d06fac4dec593907d1577446b6ad2d6e1c33c8af3f3a48b6c7cd3583326aaf124695d4746f7b2e055dc545bbec5d2d8d916b6b91c350595f2fdaaa76

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        7KB

                                        MD5

                                        27f3c5f549d772d7e693b5e99d664b85

                                        SHA1

                                        ed78ddec51e08587df7362071a373067547628c7

                                        SHA256

                                        cb1abfeae2f44e5fde3eedb0c7612ebd92ef63f4f84e0d568e4c28862ac2bdef

                                        SHA512

                                        8dbd76b64edd60b2a96ea320265255ded87a99031e386a67b00a08247748457d33e702ea852b67b28a47e3da4f19e156e1f50dbfe6e5268684b04414857bc111

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        11KB

                                        MD5

                                        4274ebb429f5260572570db27244f798

                                        SHA1

                                        3ce26b9cc35d03576fe124f77c9303d8f2e84654

                                        SHA256

                                        9524faea05e2661a49ff32f4a84f997d0ae846946ab55e64ed665731489f0370

                                        SHA512

                                        81a9474fc08ee4a19285d0328adac9658c4f3b447661cb09f392207d80b801f908d1e013655d79f39fe8ca857159b9fa3bc461f6354506172aa6afbbe4811a30

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        10KB

                                        MD5

                                        359d0487c86528f45723b1a04354770a

                                        SHA1

                                        b7b2da30b43dac90c8b6cf8ec4158363f5daf107

                                        SHA256

                                        88fda9529ca23e5b323c80067d648c92b21a427774df101ba7cea84f9a7fb61b

                                        SHA512

                                        89c640433fa8c22f6355f474028a7bdfdd8c1b2ec9bcf88af497f26406f35818d36501cc2a774871af6a2dbbd383cb7e66cb441c1cc35cc87482de2b37b548e6

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        10KB

                                        MD5

                                        c63d0c6dffe2dbc1c2c38094fada88d6

                                        SHA1

                                        9c48e457b513d0e474acee21abce526ecb7f2319

                                        SHA256

                                        2d3a05d2e9375385a09a43e653625abb64af95b8250c8b77bed8c42560739d77

                                        SHA512

                                        1a0123669ed45aaeadf926df9c4ce6e93e1222b5861e10c73c6f42b186d0cb23e89a738832a039b0f3ad9252bce3397521770831307eb1de58cecf30b5f8e7b0