Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
09/09/2024, 12:40
240909-pwdxxs1akf 609/09/2024, 12:32
240909-pqyedazfqb 609/09/2024, 12:23
240909-pkwnlaxejk 6Analysis
-
max time kernel
450s -
max time network
451s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 12:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU
Resource
win10v2004-20240802-en
General
-
Target
https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 9 drive.google.com 10 drive.google.com 4 drive.google.com -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4692 msedge.exe 4692 msedge.exe 3344 msedge.exe 3344 msedge.exe 4428 identity_helper.exe 4428 identity_helper.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 3984 msedge.exe 3984 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3644 OpenWith.exe 512 7zG.exe 3312 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 3760 7zG.exe Token: 35 3760 7zG.exe Token: SeSecurityPrivilege 3760 7zG.exe Token: SeSecurityPrivilege 3760 7zG.exe Token: SeRestorePrivilege 512 7zG.exe Token: 35 512 7zG.exe Token: SeSecurityPrivilege 512 7zG.exe Token: SeSecurityPrivilege 512 7zG.exe Token: SeRestorePrivilege 4088 7zG.exe Token: 35 4088 7zG.exe Token: SeSecurityPrivilege 4088 7zG.exe Token: SeSecurityPrivilege 4088 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 3644 OpenWith.exe 4536 AcroRd32.exe 4536 AcroRd32.exe 4536 AcroRd32.exe 4536 AcroRd32.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe 3312 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3344 wrote to memory of 3840 3344 msedge.exe 83 PID 3344 wrote to memory of 3840 3344 msedge.exe 83 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4828 3344 msedge.exe 84 PID 3344 wrote to memory of 4692 3344 msedge.exe 85 PID 3344 wrote to memory of 4692 3344 msedge.exe 85 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86 PID 3344 wrote to memory of 3500 3344 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84d6646f8,0x7ff84d664708,0x7ff84d6647182⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2612 /prefetch:82⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6764 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,6374892116272251846,13932995408281452138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1248
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4524
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11572:170:7zEvent312871⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3644 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage.rar"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B01AE3074588643B79B8D8B7F48884B --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BBCA401E9D83D042CA6A629591F1E810 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BBCA401E9D83D042CA6A629591F1E810 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C35C12E69399573F383C5334A6D06BAC --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EFB3BDD8A203506683C5538841D5B7A --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0220C048BE9AD2C422B8D80C583C757A --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3960
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3472
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26503:170:7zEvent190251⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3312
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage\" -spe -an -ai#7zMap21688:170:7zEvent228611⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2cd1e519-22e5-47ab-b6cb-6351880a00a0.tmp
Filesize7KB
MD5e26d3aec65c9e817d89101261e1f0a24
SHA155cd2529a25475ad5f791e8f5d45f725f0144ecf
SHA256acc7e2395aee4a5187b97cd1867efd38c12540afbdb9c20493c7363a1c1c3468
SHA5124f3cdf126c67371ca514f457e5ca0ae9a7644a8441e903554b0fb820a75aff94bed910ce7d87692a3816b389fd29310b15022bbc4ab10476b3ac1df30be576b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD5d8ed0a1e45517014b71196909c983d49
SHA159ddd46ceb6fcf80666315bfbd74a6f6655e4954
SHA2561aaedd32b8c7cb39e83dc40e0e168fbe90daa06a12eefac3f29572fb1cd90709
SHA512a1adc30c7fd4c311d69fa8e9a49fc39b5a9fe4d353616e90e7b75a71764b76e51a0ebb64835458e3f3df98932f42372fb1ce009cce2d86a802007944b2d46c0f
-
Filesize
3KB
MD5026fa36fba4480f38a024b194c46ce22
SHA1bb564809954bbb78b3a9a8a706c480f6f7241df1
SHA25653ca700627df0bbdc4d1a75779d30d4ec888cafa14f56e382ac62e50b30930a0
SHA5120cbfb8c1e7cbfdc929696a9ebc205f0e88548b7b680178106802b2bc2e92097239b5652ead116b3ced3404fe3443066713b9aebdef94023f06d16b218d6d305c
-
Filesize
3KB
MD5494e648e1513edd5a499903721d7306c
SHA1ad36e95ffaefdd8264d653d537d2f0f32f5883be
SHA25670298ae0a13a54d90c71e0db9acbfe7013e26c16997a21aabef3db0e174909c2
SHA512d6278113e0043647a5d5201806f06c1a9df154f9ab7337bd8fc1fd1f9cb6c8ae156729a25fa32c2f926d007667cdb70c381b352369244a374e04d7687f03cdfa
-
Filesize
3KB
MD520a8d0264ae140ab9c7cfb6e19dae8ad
SHA1c157ef45e529607cba5d8a326d936467eded2d8c
SHA2567d2c31a4639b0439d840ef2d982748e2f736a2fd76a600abaa412475766e384a
SHA5123d30e2caa463a36099a58b225b59382767752a6f54874b39c74c413b658b86bce0d13215bf7c35ae413f7c118990aa93c34b86106c53b9489ef1b7cfb1246fab
-
Filesize
5KB
MD5aabd35e163ad96bf591bdefa464b2287
SHA196072459358528a0573c6c3151e51e3bc7a8f08b
SHA256f26fab972948183780e9024c6f0e6961553803d212376c1b6f531c7ed2649b84
SHA512178eae0a9d51bed6a40f10bf7304849ce6479afbc978c09182b798a2f9b01127e16a2dd65f062e951c7f8c0b6e7670e02eb7c2cc6fb01658cfac07315efcf4a8
-
Filesize
6KB
MD566c0c1c7ce646640861285a8aa867c43
SHA132805e8b64557088d73b029f63259d03f544904d
SHA2568faaeb9e5f3f3e3b95587343c5c221e3e4192ecb0908f11af5ed42095cab6102
SHA512c51c5c5e3057591b2a9fdd1240e1aff808ea4adf36d2d0d36b49ff6a576cafaf74684ae6cbfb5dbbd0048654783a4f84d9cc775f55d2bbd6f426a69111f78dc7
-
Filesize
6KB
MD50f87fcd57040ce54bf9c767e76565a31
SHA12ac13808ea6815c1ad711cdfdac45bd7d022e18d
SHA256c4b75a3f9bb29588342459aee91e6c8f2fa4664d0d042dd9247eb74f019d669b
SHA5123f480c78d06fac4dec593907d1577446b6ad2d6e1c33c8af3f3a48b6c7cd3583326aaf124695d4746f7b2e055dc545bbec5d2d8d916b6b91c350595f2fdaaa76
-
Filesize
7KB
MD527f3c5f549d772d7e693b5e99d664b85
SHA1ed78ddec51e08587df7362071a373067547628c7
SHA256cb1abfeae2f44e5fde3eedb0c7612ebd92ef63f4f84e0d568e4c28862ac2bdef
SHA5128dbd76b64edd60b2a96ea320265255ded87a99031e386a67b00a08247748457d33e702ea852b67b28a47e3da4f19e156e1f50dbfe6e5268684b04414857bc111
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54274ebb429f5260572570db27244f798
SHA13ce26b9cc35d03576fe124f77c9303d8f2e84654
SHA2569524faea05e2661a49ff32f4a84f997d0ae846946ab55e64ed665731489f0370
SHA51281a9474fc08ee4a19285d0328adac9658c4f3b447661cb09f392207d80b801f908d1e013655d79f39fe8ca857159b9fa3bc461f6354506172aa6afbbe4811a30
-
Filesize
10KB
MD5359d0487c86528f45723b1a04354770a
SHA1b7b2da30b43dac90c8b6cf8ec4158363f5daf107
SHA25688fda9529ca23e5b323c80067d648c92b21a427774df101ba7cea84f9a7fb61b
SHA51289c640433fa8c22f6355f474028a7bdfdd8c1b2ec9bcf88af497f26406f35818d36501cc2a774871af6a2dbbd383cb7e66cb441c1cc35cc87482de2b37b548e6
-
Filesize
10KB
MD5c63d0c6dffe2dbc1c2c38094fada88d6
SHA19c48e457b513d0e474acee21abce526ecb7f2319
SHA2562d3a05d2e9375385a09a43e653625abb64af95b8250c8b77bed8c42560739d77
SHA5121a0123669ed45aaeadf926df9c4ce6e93e1222b5861e10c73c6f42b186d0cb23e89a738832a039b0f3ad9252bce3397521770831307eb1de58cecf30b5f8e7b0