b25429ee581457c7a115d330f4d4c532c66e931f67673d13dc41137b69eaf0f3

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aurora-store-3-0-5.apk
Size

6.0MB
MD5

65d38e5674eb75a374bebb5510023353
SHA1

2fd503963983bbe7733fa3a126859e432bb12315
SHA256

b25429ee581457c7a115d330f4d4c532c66e931f67673d13dc41137b69eaf0f3
SHA512

56e2b2074ba671cfd01971820be8966c6ea054d931a88f1b2d84a04d21b820fe4cf1d9f16db2986db289a09816a43aa11e0fb516df32cae035d749dad61b837c
SSDEEP

98304:GtX/tntibnv9OysGfVPr/TxYaBZwBq+F2F2wCtmZUWVoQilfxqP4REjMKwhydNYV:clntiDv97subGagBUwtmpDilfgPN9wkM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4764	OpenWith.exe
4840	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	firefox.exe
Token: SeDebugPrivilege	3024	firefox.exe
Token: SeDebugPrivilege	3024	firefox.exe
Token: SeDebugPrivilege	3024	firefox.exe
Token: SeDebugPrivilege	3024	firefox.exe
Token: SeDebugPrivilege	3024	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3024	firefox.exe
3024	firefox.exe
3024	firefox.exe
3024	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3024	firefox.exe
3024	firefox.exe
3024	firefox.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
4764	OpenWith.exe
3024	firefox.exe
3024	firefox.exe
3024	firefox.exe
3024	firefox.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
4840	OpenWith.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe
1008	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1552	4764	OpenWith.exe	84
PID 4764 wrote to memory of 1552	4764	OpenWith.exe	84
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 1552 wrote to memory of 3024	1552	firefox.exe	87
PID 3024 wrote to memory of 4860	3024	firefox.exe	88
PID 3024 wrote to memory of 4860	3024	firefox.exe	88
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 4504	3024	firefox.exe	89
PID 3024 wrote to memory of 2248	3024	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\aurora-store-3-0-5.apk
1⤵
- Modifies registry class
PID:4936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\aurora-store-3-0-5.apk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\aurora-store-3-0-5.apk
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.0.831439794\82000124" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3021ba2-f0a2-491f-a4a6-96c7ef838fa8} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 1868 215f56fcf58 gpu
      4⤵
      PID:4860
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.1.372781667\1102440438" -parentBuildID 20221007134813 -prefsHandle 2256 -prefMapHandle 2252 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a0dd1f3-d2e2-4760-aa98-ba7e104dab84} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 2268 215f560c058 socket
      4⤵
      PID:4504
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.2.871854374\1279491802" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b58076f5-3b3c-41bd-8891-ac7c75a3a816} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 2952 215faad6658 tab
      4⤵
      PID:2248
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.3.74181907\1059283097" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3480 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a229c79-d0e1-44a6-86d6-6d0874efc2d1} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 3244 215f8383c58 tab
      4⤵
      PID:680
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.4.1998707529\1620076703" -childID 3 -isForBrowser -prefsHandle 5104 -prefMapHandle 5112 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7ee4cc3-7c7a-482b-a7b5-aaf8ee94761a} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 5084 215fc7cac58 tab
      4⤵
      PID:3388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.5.2016460919\316321538" -childID 4 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cab30f24-9f73-4052-96b0-132ad6555a5c} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 5224 215fd635758 tab
      4⤵
      PID:5028
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3024.6.2617448\1211513449" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e6f5225-da73-4270-8e12-f6b523d8a7d3} 3024 "\\.\pipe\gecko-crash-server-pipe.3024" 5416 215fd634e58 tab
      4⤵
      PID:4852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4840
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\aurora-store-3-0-5.apk"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1008
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:32
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F15782864453468660AD275A0C2B1A63 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C39E56385AFD95658BB8EB7F16907D88 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C39E56385AFD95658BB8EB7F16907D88 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1000
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA985D295B399B9F7D38F5363C07200A --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C48DA71BF2CEAF6FBD8E7A51F887541E --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0DAE4A76CF409EFBC5E0C7C240EE7951 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a230a277d95dff6e3db26c715f59e5e7

SHA1
d2ec0f3cb7b52ed756ed2f2850930bc5dd5553f2

SHA256
1aeb21fba6205567db0370fe7992cba8892eaaa9a1abf6c00e3aa8cf7f9439da

SHA512
e32b94296cfc957128bf28a06fc508e916c4c6ff211384cb86bad538bec9678d1b31419bffe9c714aeb8ca61f93a1362ed4907a5e9dba918c77963f2464960f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8ypl8oso.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
a9a4a6c07e80a6c8bd1b16c2e6fff036

SHA1
f30aa4d4baafc9fa21784fd3be9827264f6cf93b

SHA256
1c8170fdd8f918f29672aa052e86a0bcfa959737780492e8801b316729e3a55e

SHA512
2da16248016131f3e59ce1e05e690eafa595e107f9088a47605e47ca5d7f340b6ecc6642eedce9899e77fcd208a11413392af700c2f8e6af5ef3805818c7e17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
df3267d82a12cc1221c5262c329fb8ef

SHA1
2d3e0bd2a2e38613242c55ed0bcc5ff648a32d10

SHA256
a22cab9cfebe9bf2c91f841d666638021afeb6733af87d5b4de5d81e709de45f

SHA512
335b2cef1331413cc971c0ff7c515fecc280cb468dfa9ceef2e3cb8cd69d94fca94d50bdaf807bb3da2822ae7448b6fc7d7cd1a5cb1740545a314c095680ad22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\pending_pings\2c87127b-e69c-48de-aeb3-3fd5f05c2538

Filesize
11KB

MD5
dddac347926bc07e2c502271ef078a79

SHA1
c9bf2d38e6e030fad9eaf2d1c2a74eaac7de59e0

SHA256
a76a3e45172eee34b19c3d07d7a7bc92d49dd67151a706c24932bedb2945abc6

SHA512
032148e9cb17b00ed24a6535d5cb993218ec2f0ec9289666b4ed6ec7a3bc6684e28c3ac3ffe8db821fc06de794aeb39b8f7ad6afdcee09d4bebd7244b73fac7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\datareporting\glean\pending_pings\5dc28556-65be-432d-999c-2c1525622687

Filesize
746B

MD5
ea87b603a47a79873c41c99a70d27a84

SHA1
3f68e5c2e5d8031cb0e7beca0106c79573e3f95f

SHA256
121b3b457f62885338701704971c174899fe9b7588efb50d6cb3cec8d3f19085

SHA512
22ddd948999676607acfdc69fc0e62b824ed263e6b465c0d208efc73bc384d7873a6a7df9508168cb08503fa4ced94cf167c4752fdb443e38323ba904b88fb3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs-1.js

Filesize
6KB

MD5
d13cbbd9bb3f8409ddb9bfb63e0fdc59

SHA1
5430346a9dfb92f3f8774c2fd9ce5c54fafe7c48

SHA256
ca04f97bbad3bdd569f3d86f29725eaeb8a2e003527263c17f3483129a0487c1

SHA512
2651c027a8f28075eaca6979157701fd6cac7e7bb6da6d8cebdbbd314e06cf2cf6f29fabd0fbc73ba619ae7fd2dd429923910c07f006081f2a1f5ace98625c83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs-1.js

Filesize
7KB

MD5
8c3d4a271db447ad31de2be5eefc11b8

SHA1
86d2c66fc6a94e944eab718401e86e5bb3c5bca9

SHA256
b18bc9a4dcfb2d1dcdb2325f8716d6dcd3088a7ab772f8f54ae4b0810aebf5a4

SHA512
9aebf449023f7431b5887f2cc429fb241a929a4f794421c7da09b8eb9a56bde647fe22160c1fa7af469237b85d58c4074e7a75b39a2d83bee006fe40b1ca4b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
995B

MD5
cf6d563a28256e82608b848800000572

SHA1
e7ac77b7566b2be2156e36124b1c78ae70e8a328

SHA256
1a575c6ec05d320b2eced2d25a0325ba8146a3e47827d2f816061f49850ebe48

SHA512
439304ee35631e455c50f2b2091ab824f7569df9f4330162d41009a7400d258f0fb6d1e2e4f87c23d68352aae99af65e508640f6e574c46a7adee4a6ac504a7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
2ac52837d26b0b1d97e92a3b7180bfde

SHA1
a772fe72f07a0ff06184e407e859f216797fd98a

SHA256
9a02b79054443397e847fe5a966759d4ceed7a0132c13195bcfa71d1fc89175d

SHA512
6a9c763929f15e13f638af3eced13e9862df33728b2d6a7c306a12c60f6ad9c345ef933a7964fb4f2eb21f014705b253b3222719c215d0e0093227e3b23ada6f

Download Submit
C:\Users\Admin\Downloads\OIsOl4wt.apk.part

Filesize
6.0MB

MD5
65d38e5674eb75a374bebb5510023353

SHA1
2fd503963983bbe7733fa3a126859e432bb12315

SHA256
b25429ee581457c7a115d330f4d4c532c66e931f67673d13dc41137b69eaf0f3

SHA512
56e2b2074ba671cfd01971820be8966c6ea054d931a88f1b2d84a04d21b820fe4cf1d9f16db2986db289a09816a43aa11e0fb516df32cae035d749dad61b837c

Download Submit