a5d180d842683fe1ec28f21b5bc674e26911b2bdb101463bcd821d2f2c9935c3

Resubmissions

01/09/2023, 05:51

230901-gkbdnacg6t 5

01/09/2023, 05:47

230901-ghbawacg5y 5

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHIP DATE Aug 29 2023.msg
Size

64KB
MD5

7bf98f0a5f9f5ed23adfb55e05c63e0a
SHA1

a0b9e77350c064a3c84caf19ae244cce660bc1f4
SHA256

d93460264759ad750506d4d660c489a18be534ad6e3b5ae613043d503927578c
SHA512

ec495c0004e5939b3e073041237df596a3e78c0fbff630788e91dd3ef7411ee41ece4cb961f34572169c399b613d86b72628fb28153d64df0314ae948719b61c
SSDEEP

1536:aunkB9hJ6RWPKnhKHcvdE46Q2MOYMmSb+pKmU5OLiz:aunkB7J6RdKD46QdgmS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2220	OpenWith.exe
4396	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
2220	OpenWith.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe
4396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4424	2220	OpenWith.exe	86
PID 2220 wrote to memory of 4424	2220	OpenWith.exe	86
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4424 wrote to memory of 4384	4424	firefox.exe	88
PID 4384 wrote to memory of 2708	4384	firefox.exe	89
PID 4384 wrote to memory of 2708	4384	firefox.exe	89
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 4140	4384	firefox.exe	90
PID 4384 wrote to memory of 2140	4384	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SHIP DATE Aug 29 2023.msg"
1⤵
- Modifies registry class
PID:3764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\SHIP DATE Aug 29 2023.msg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\SHIP DATE Aug 29 2023.msg"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.0.139598161\497482389" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a3fb9a-6052-4368-9ee5-765460b06b8d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 2004 1c5ca2d8758 gpu
      4⤵
      PID:2708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.1.1175723132\1090359839" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faa73fc5-ec94-4522-aace-abe63e2bfd64} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 2396 1c5ca1fa858 socket
      4⤵
      PID:4140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.2.1512988436\1628873747" -childID 1 -isForBrowser -prefsHandle 2780 -prefMapHandle 2980 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d2a9c68-0c86-4b64-bacd-bcf556ef76f2} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 2948 1c5ce4ecb58 tab
      4⤵
      PID:2140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.3.1851484849\1773076375" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3588 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff4e91c5-e045-4e51-a9e3-a51c3e7028a3} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 3604 1c5bda62558 tab
      4⤵
      PID:2180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.4.1420976475\1625967992" -childID 3 -isForBrowser -prefsHandle 5108 -prefMapHandle 5148 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f42f8480-eaba-430b-bec1-53af25f5798e} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5116 1c5d07a7d58 tab
      4⤵
      PID:3600
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.5.1302120353\1086905691" -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87067dfa-6ec3-44ac-ba41-1c1e40593056} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5276 1c5d0a9c258 tab
      4⤵
      PID:3752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.6.802043524\1310237868" -childID 5 -isForBrowser -prefsHandle 5468 -prefMapHandle 5472 -prefsLen 26671 -prefMapSize 232675 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa17547e-3af3-4c95-9278-74c9f09c9c1e} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5116 1c5d0284358 tab
      4⤵
      PID:1432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\SHIP DATE Aug 29 2023.msg"
1⤵
PID:4424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" "C:\Users\Admin\AppData\Local\Temp\SHIP DATE Aug 29 2023.msg"
  2⤵
  - Checks processor information in registry
  PID:1704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4396
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\SHIP DATE Aug 29 2023.msg"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  PID:4412
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:1144
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F9533E4CB86D3FB063F1E6DCD5D035E9 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3052
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0A59CE96FB0D0A0660DAF298DE45C216 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0A59CE96FB0D0A0660DAF298DE45C216 --renderer-client-id=2 --mojo-platform-channel-handle=1692 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:972
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0934927DF1C9CAE0D8208F3A4A52FE8 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4592
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=320A6CEF6960AF55ED28B955E120834D --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3075C8B2F72043B3AEB029D8D8457411 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p2pa85fv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
bccf931ce9de4533f2d8789aeb549bae

SHA1
7869d67924c739cb783630e583ebe4f219b03ea7

SHA256
4a290225bca0dea382902c2013ef68afe7adb9127f282ae6356b09c9793877fc

SHA512
7d4b5fb94aa6d87c820c2da9f179f4cc8cbd241aa550d6e0e58c52ec1664c5c091240bff46f49d01c2a27e64f8317f0d13080cc707e2622164b9778f7e45eaef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\prefs-1.js

Filesize
7KB

MD5
6829dfaa00fb982716986b4dc0390cbc

SHA1
2a6a837b3911b54f601d85afc83df237e1210c96

SHA256
69c15e7177b3a90c45f8c7f6207d36aecf513196dcac5bdaab54e81a8e4ce3bc

SHA512
129f92f4d123a10eaf0e86baf8570e47377b8b0bd94e89793a6ce1d6c19595099e76b8a4b876e8fc30a43782b8e47bd2d436add802db9f744b258fc71fdff920

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
91ba4c4ad7692c72913fbafab467ef80

SHA1
fc79910c622c01bc29c2891cd59d00ee537d8060

SHA256
837f9f16ba987673de86831aec2794b99ca7b051db381296b42a8435fb893f91

SHA512
a326fffe2127d31a96ee5682c1d2f0c549b9a3cfa591d32bfcf92f0b9274c09cb464b158fb07d7917f446b8cbfc3e3308283692d262348407fc05d8c8d40260f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
994B

MD5
3108bbd4bd3a4bc156b31793ee6538ff

SHA1
7a05a446e27de5352bd20cb8a2877c8837f72696

SHA256
9a42dfd270475ba16fbc3ab60e09f361be1c4740bfc6e7567fbb240c4c2fb8ac

SHA512
26fae6f890340344fa42fa87780a227a82ef9c665d72133e66e91907590d0e6fedd7e24c40799f5d26a5d9788f610d6328c65853d29d7935a096eeb5c4c7d8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
54566e34fea805fdaeb20b510afaa41f

SHA1
d13e2468885a6c3256a2c3408cac6ce10bbe3fd1

SHA256
eb3fc1b90054f26c277f763705d42b84c9c65b9d53b848868db766c12ba5fd5f

SHA512
7fea66bbd1f90902039ff39104cfdcfca137a1091c0e23d33465a70fcea448d99e2149c191eaf198a048d20d42bf4dc92c3374c906927efef820ce35f1964dbb

Download Submit
C:\Users\Admin\Downloads\QSk5MibP.msg.part

Filesize
64KB

MD5
7bf98f0a5f9f5ed23adfb55e05c63e0a

SHA1
a0b9e77350c064a3c84caf19ae244cce660bc1f4

SHA256
d93460264759ad750506d4d660c489a18be534ad6e3b5ae613043d503927578c

SHA512
ec495c0004e5939b3e073041237df596a3e78c0fbff630788e91dd3ef7411ee41ece4cb961f34572169c399b613d86b72628fb28153d64df0314ae948719b61c

Download Submit
C:\Users\Admin\Downloads\SHIP DATE Aug 29 2023.msg

Filesize
64KB

MD5
7bf98f0a5f9f5ed23adfb55e05c63e0a

SHA1
a0b9e77350c064a3c84caf19ae244cce660bc1f4

SHA256
d93460264759ad750506d4d660c489a18be534ad6e3b5ae613043d503927578c

SHA512
ec495c0004e5939b3e073041237df596a3e78c0fbff630788e91dd3ef7411ee41ece4cb961f34572169c399b613d86b72628fb28153d64df0314ae948719b61c

Download Submit