Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    59s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 19:06

General

  • Target

    https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe485646f8,0x7ffe48564708,0x7ffe48564718
      2⤵
        PID:5000
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        2⤵
          PID:116
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3632
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
          2⤵
            PID:4496
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
            2⤵
              PID:5040
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
              2⤵
                PID:2052
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                2⤵
                  PID:4004
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
                  2⤵
                    PID:1492
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5020
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
                    2⤵
                      PID:4448
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
                      2⤵
                        PID:3208
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
                        2⤵
                          PID:3120
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                          2⤵
                            PID:3680
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                            2⤵
                              PID:4476
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
                              2⤵
                                PID:5224
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
                                2⤵
                                  PID:5232
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5380
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3120
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3076
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:5580
                                    • C:\Windows\system32\OpenWith.exe
                                      C:\Windows\system32\OpenWith.exe -Embedding
                                      1⤵
                                      • Modifies registry class
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5664
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TeddyLauncherV2.apk"
                                        2⤵
                                          PID:5816
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\TeddyLauncherV2.apk
                                            3⤵
                                            • Checks processor information in registry
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of SetWindowsHookEx
                                            PID:5888
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45a7510-d7f0-4107-8521-6bc71c5abc74} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" gpu
                                              4⤵
                                                PID:6076
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3617248e-5393-451a-af94-6cf8c969061a} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" socket
                                                4⤵
                                                  PID:2516
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bf75fe8-0285-4b1d-a093-1713e1adb17b} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
                                                  4⤵
                                                    PID:5140
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c947b93-d75d-4c33-a6d3-a42d146287e8} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
                                                    4⤵
                                                      PID:4412
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4348 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57c039c4-f4e0-4a8d-b367-a329feb7d854} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" utility
                                                      4⤵
                                                      • Checks processor information in registry
                                                      PID:6632
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26769c6a-2641-435c-8608-e6977dfeab68} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
                                                      4⤵
                                                        PID:6964
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b5ccc02-1739-4f4e-95eb-d851fc90e1a4} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
                                                        4⤵
                                                          PID:6988
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5828 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {087e4d55-12ce-4536-86d3-f9beb165f838} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
                                                          4⤵
                                                            PID:7044
                                                    • C:\Windows\system32\OpenWith.exe
                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                      1⤵
                                                      • Modifies registry class
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:6584
                                                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\TeddyLauncherV2(1).apk"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Checks processor information in registry
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:6728
                                                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:6828
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1BD159A798FE82264F9A8FAF52A5BCF --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4360
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=740C35C1BB11EC96AACB1EC5A5F18BA1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=740C35C1BB11EC96AACB1EC5A5F18BA1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6928
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5AEDB5B261443B719B86A727CAFFDA0 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5440
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62DEF300AF6D6FCC04BF57A725CC9AA6 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6164
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8FF6447CFC3D3174F70198D65C72FAFE --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6288
                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A9B77D3A570EC19130E48E62E4C5F8BD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A9B77D3A570EC19130E48E62E4C5F8BD --renderer-client-id=8 --mojo-platform-channel-handle=2484 --allow-no-sandbox-job /prefetch:1
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:6492
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:5876

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        0a9dc42e4013fc47438e96d24beb8eff

                                                        SHA1

                                                        806ab26d7eae031a58484188a7eb1adab06457fc

                                                        SHA256

                                                        58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                                        SHA512

                                                        868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        61cef8e38cd95bf003f5fdd1dc37dae1

                                                        SHA1

                                                        11f2f79ecb349344c143eea9a0fed41891a3467f

                                                        SHA256

                                                        ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                                        SHA512

                                                        6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        456B

                                                        MD5

                                                        4fe6a538ac769dfd67bbdb5b19e11b3a

                                                        SHA1

                                                        0c953362077d842893522da361d04311074a5497

                                                        SHA256

                                                        ba5f421321807b874d5b148175af957743080a21c13bfdc84a98b9536e5966fd

                                                        SHA512

                                                        689dd709a0ec9deb696cad3130f2a4eda08f483eb0b2f97ce89e774a3e392acf25b98d3f3f5d4a2a713a487092e920a66e676637989e44b0d47322aecd2f7c16

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        df3ea6c9a35a5b48856049cad61ab3c8

                                                        SHA1

                                                        6bb9c13d12f8187c4a06e1a8e58de62a28fd016f

                                                        SHA256

                                                        06f6eca4b832931f59a5671f7e39988297c1286ecddb4bc188eeddaeb51bbf8d

                                                        SHA512

                                                        081a1d5cc046e0527f3ecb99d899f7c378d4c5f6e363572a165ee03428e39cf9f2c08214250280a1239b5179a0e8416c8e33dc58b22667de9510d0cf7b4c8c4a

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        8429b063169eb1f8f954ca58687b8145

                                                        SHA1

                                                        20720840a0af307f5fdd00956096397bca5b93c4

                                                        SHA256

                                                        01b9cdd9ae3f720082be8f221f8a61568eb67195138dbc19b0287e5c5566daea

                                                        SHA512

                                                        e15f6e7a7f8b9cd9725af08811f15e92b5e68f3909c934c7bb695de10965c6d9919167342bd7ee22762e873a66b38990d77bdc606c48e11abc8a6a1b0a60042b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        2ba15faf433ed93dbaa8c6f21d02ef2c

                                                        SHA1

                                                        81ead80a2495fd7c22b8d61be42e81a5db541890

                                                        SHA256

                                                        2e9a28a3442338b2f0563437774151bdd472cac071e6429d6d6e319fbad963a0

                                                        SHA512

                                                        7492461c0c70c321c2a24a362a80530c4f76c08fc4956c463fd71c24db90752698ed0c1696cb768bf9802197d4060c9cab781665299b051d89e8fabd10490c0c

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        6752a1d65b201c13b62ea44016eb221f

                                                        SHA1

                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                        SHA256

                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                        SHA512

                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        8bab7a6037e529ceef384676d2e24db2

                                                        SHA1

                                                        49d17272dde653135348143ba6612c1b40256459

                                                        SHA256

                                                        5878dd7f95a0a7a4b89d2f5b1c46b4d193d20bb6c2ce24de1dcd8e4438e0a4f9

                                                        SHA512

                                                        2af376f76d189269ea5c6fdc33f6ffe14698c2de65d1e0266f84c6993edfbed4788e1533bde9455dec9ae287aef354361b90c474905a29755d31429b77a50905

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        c687ce39cc3d68c38fca6e9799d974ab

                                                        SHA1

                                                        b414185d5706126e43ee7770ec2ff17e6141d38d

                                                        SHA256

                                                        4818f487369297bd35b3d9a0b8f1cbfb10cf51b39026c650741d084053e64533

                                                        SHA512

                                                        691776c68bb932b8984734888494d1a0803bba21ef0cda8e027e30df87e18dd28c9fe64e03b63d59785c3a9871457caeef6f58eebee02164faed1825870bbd0d

                                                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

                                                        Filesize

                                                        19KB

                                                        MD5

                                                        a7ec731c5ab612d5e35367909dc9e3a9

                                                        SHA1

                                                        ef587357128a59b533524007293d877e898a9f81

                                                        SHA256

                                                        9e7075e1a6b7ab45daafff28d2f67de2e2f6e77712c73f9a109c480b0f221746

                                                        SHA512

                                                        ec01ede2b052069d98fdf3001e0fe8f4b2404730a2e14b2bf5b1e68f71ec5fb3bf4d68844a3f05bae3045bc71cae8cffb6086464ed31df519ad4ee6be2987689

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        c2252bd94edb619bbb2d2976a997ec06

                                                        SHA1

                                                        6cab5f2de45e8f6cdb8b6a2d1edde7b591909b9e

                                                        SHA256

                                                        b849150ead0e9bebf8823a3c348ef262bfce00db7bc2c5682d6c8e9536d85618

                                                        SHA512

                                                        c49f428264c1dd8978dfe088d6df177263652024e6461b0efb0b97d6c87ecc656f25e16150da6ed93f32c302e916c7fe2e0979c562da19487484780a549f5e9f

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        5a466027b1f27ec0e555b1a067331374

                                                        SHA1

                                                        cd3540e63b268f3e229aeec017ac846f4f548e6d

                                                        SHA256

                                                        60137ffea55469c0229c2daf15a8478e5e8ac99f64506e308fc7a37b16303bb0

                                                        SHA512

                                                        c1af27af84f7af0444e8641ca63716c381bc5c295a462549086d994e3c624b74c93b3ea3882cd2ad7c52ec9cdc421e547087c6937540fd60db3294a4999bbc04

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        30bf9d3ca374b1d667d3f5cf7dbe631f

                                                        SHA1

                                                        ff73fefcfa62f4dd2d25d994088d2bfa45a96be5

                                                        SHA256

                                                        e82d262ebde82228f5d29aaa3c1cf15abefa50a9999c108f5c4fa13599c16ec7

                                                        SHA512

                                                        46f669f446b28247809b1e99ab23139d178dfb07dd41b6a0526ddc68ec4848fa8d2e9f217c61e3143256dcb38c6c4756de70aa99a837b8c0037294b05b085a77

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\44a9125d-2919-4c2c-af90-bce30fa0fa01

                                                        Filesize

                                                        982B

                                                        MD5

                                                        5ec81998b3115cbef41a2c1f91f67737

                                                        SHA1

                                                        077aeb1cfd146a68c3e47af38379cc5f95e6c0d5

                                                        SHA256

                                                        a00824af09b3b0a4a1b5881bb1c7bef8708c422f19f82ecbbf43d162504e6cdb

                                                        SHA512

                                                        1caf8b8597d84a41359f7c418795479c2e7070f0a536d82c493f3555fcba18951832ecc15637dbfe93b909e678d3b4e3d4e3481763261520401c36e5aa13288c

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6d84058b-ec77-487b-bebb-8010829c43b1

                                                        Filesize

                                                        671B

                                                        MD5

                                                        a733abf57d16bf7347fa67a50a1327e3

                                                        SHA1

                                                        6a0e4ff84d53f6b58fa8f486fdc672dbe923cef9

                                                        SHA256

                                                        7d33f43385e665a7473f3e0b946213b017a9689b1349344d6cdc9be44447ea56

                                                        SHA512

                                                        e0334fba27591fe80a1b1041438896ca4ac1e9f1262eca466ae5c0b5e380c265451e8013310259c08edbaa2ecf913593be02678c8bc093171d96e0ede5b48cc9

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\da076455-e16a-4e5b-af22-1b1517d509fa

                                                        Filesize

                                                        23KB

                                                        MD5

                                                        b9d8aef7d1cbba953af24130c78263db

                                                        SHA1

                                                        16f14d98b704cded33c9a72c97dd31b9b52268f8

                                                        SHA256

                                                        4ee32148c7fa1df949c35edd2b8fdb645394971c8c58160660cd7fd8365723a3

                                                        SHA512

                                                        678fbca3553ed55aed0a7d35dea3279a154c28ae23146ee0eeb6c64201b732e8a7e560f6d1a0f0521be19df5e8a4e3da81c675523c5649f6f81846c4d6e77dd4

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        88d7ecd83acbf1375df373b193ec3226

                                                        SHA1

                                                        4cf636c3e2e1cbaf3151f00e502d5d0438166958

                                                        SHA256

                                                        25f4bd9da9b3d840a7c036b01047baf476620469aa8753274756e64d52dcfb7a

                                                        SHA512

                                                        ef5e9cdcd232f48de368775c638b9e01c36b5dc5ab44c868c88ebe4d3bd224e063db420df4d6b179c760e710b8bafd14390846b53b01fece5b193285d3f2511e

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        7b33696a0d10dcc0fcd87995e3f5085d

                                                        SHA1

                                                        dc0f0a6b082dbb609cfe09771d022aedcabf52b4

                                                        SHA256

                                                        fb2993819e2f1fc71255bf872bf78ded8d78929f9c12bdc3cad30f4c071da335

                                                        SHA512

                                                        4e6d5f46044c32bd7e85c26bbe0ca02fcf56c19b5840e58e92c90b01d4699ffa266b515f769245e6b03ae60df16797d26767cdfeff1a475650e46f8a101d1a95