cbc4ef8dad9809de1e82112c4b232c3fa70eeb3f05d8955f959ad9410d1302d7

Analysis

max time kernel
1520s
max time network
1170s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18/03/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Energy_p010-Procedure.pdf
Size

2.7MB
MD5

f1516cc0fbabb6af3e99ae32adbc2653
SHA1

ed44c258c72464e71eb62589a05ad300ba33466d
SHA256

cbc4ef8dad9809de1e82112c4b232c3fa70eeb3f05d8955f959ad9410d1302d7
SHA512

20bd159f2653e228273bc6456ecc9bd11f85b9b3a111ae82ac751c50dc90ac7ea7d2cff3ee115699c8e381aa782225a67621f4b94913f5173a16b218c1fbac20
SSDEEP

49152:3xDyaraSs/OFQhczPyngg7j1djcokepHdrbal0T5L4DFtKWEmI5f0ZDS98KN:3xDds/OAc7OR7koN9rbao5aNUf0VSJN

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	firefox.exe
Token: SeDebugPrivilege	3320	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2464	AcroRd32.exe
3320	firefox.exe
3320	firefox.exe
3320	firefox.exe
3320	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3320	firefox.exe
3320	firefox.exe
3320	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
2464	AcroRd32.exe
3320	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2380	2464	AcroRd32.exe	76
PID 2464 wrote to memory of 2380	2464	AcroRd32.exe	76
PID 2464 wrote to memory of 2380	2464	AcroRd32.exe	76
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 4556	2380	RdrCEF.exe	77
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78
PID 2380 wrote to memory of 996	2380	RdrCEF.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Energy_p010-Procedure.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27C5F3C4D3FF85C61AA6DE6B5B903A82 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4556
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=07DED95DFFC01A3DAB1C2AD29A00EFEF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=07DED95DFFC01A3DAB1C2AD29A00EFEF --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F6C93E8D03DD194397795092766292F1 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=704B72114E5137A6DC4AD24EFEDF6780 --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2788
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=839CE9F31716E891EBFBC14510B89512 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=839CE9F31716E891EBFBC14510B89512 --renderer-client-id=6 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1F1E8F9C3C425F2F208D96D7C49082E --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.0.1549511984\1510911423" -parentBuildID 20221007134813 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd310b9-e426-4d83-8e77-de707872a1d5} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 1888 1644bfdc258 gpu
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.1.192617612\1645345735" -parentBuildID 20221007134813 -prefsHandle 2252 -prefMapHandle 2240 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {104aa691-8692-46a3-b26f-53bde6de374b} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 2264 1644bf0a258 socket
    3⤵
    - Checks processor information in registry
    PID:3080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.2.396123583\1325540350" -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2768 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05247a15-c30f-4ea6-9117-3f691c104da2} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 2944 164511a0b58 tab
    3⤵
    PID:4032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.3.1626933840\294385912" -childID 2 -isForBrowser -prefsHandle 1012 -prefMapHandle 1004 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b9be178-396f-4f70-bfb0-bbda8f7ee8e2} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 3416 1643fd62b58 tab
    3⤵
    PID:1228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.4.1409894921\1635488347" -childID 3 -isForBrowser -prefsHandle 4508 -prefMapHandle 4504 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b55d1f6a-5f6b-4d2a-93ec-de6c3ddc0104} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 4532 16452e35a58 tab
    3⤵
    PID:1764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.5.868702356\1821530872" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4500 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81afc2de-328e-467b-bd81-6051390477c8} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 4928 1643fd68158 tab
    3⤵
    PID:2140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.6.789282583\845685104" -childID 5 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {002a0a6f-862c-4589-8a6d-10428ce3271a} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 5196 16452e36958 tab
    3⤵
    PID:740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.7.294707050\1296564676" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21b52353-73df-444a-bc63-d1c679acc0af} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 5388 164533dda58 tab
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3320.8.1843276974\1286462754" -childID 7 -isForBrowser -prefsHandle 5792 -prefMapHandle 5776 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93807e6-7555-443c-8ec6-4eb6777d097c} 3320 "\\.\pipe\gecko-crash-server-pipe.3320" 5780 164551d6458 tab
    3⤵
    PID:748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b47e440241baa9cef81bbd1bedeb4b05

SHA1
e849eb212ecb1f2795acc54a6fe2e18a09aaadd4

SHA256
0ed71dbfbf1086aa8c90f173b15f194a34ac8e5c2546dba2e83e0d5ce93d008b

SHA512
6290ae660e3940120eb94173c2d237aa05253d6e41bb14cd3c74a78d9d82d5c4d77ada744e6aa6adf257f91a124ee9190c081f3062d2d264295541c25aa00a24

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
77c68369d64f41555e192b88a2fd23e3

SHA1
5dbe914a830bb472507a1a3ca617ceee60f43554

SHA256
70bf78b91bd4cd84203162efc001b9a9835af78234920e0bb4d56ed0218ec6f0

SHA512
82fbe808517025da0ce425869ad2cdd4d2a97a7277f36333d3bd04714bd1b62b6e0886343bd06c90652552d6affa1b4bbb112147d74400c8d9b2fe97d2f156f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\pending_pings\1986eb13-3ab0-4c3e-818a-e6ffddfee969

Filesize
9KB

MD5
84e311b4f53c5170888aba0cec377fe6

SHA1
f3b6d134c3089bd7a2163da6a581b96502a7be42

SHA256
ac41e41500398e3508f50491688568ffbe4a46de233e6cd6732bb93f9ac3f41b

SHA512
e70c716d996ad05832e1b11f8bff5655b309267f1f179f59dfe398d73ac64b664fea5546e7c122bd92fa22e59c334cfe684c81e72356545ab6551da5188b2999

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\datareporting\glean\pending_pings\7372281c-49ac-43ea-9228-6d62301e6905

Filesize
746B

MD5
b9c99343380601fa56c6d1f0d5510690

SHA1
715c11a56c00c584c839ec7ee539fd129409ad45

SHA256
895cd27497057db0daeff4f2881664751ee4c96beec0ba232c879b9c51cae366

SHA512
386150eae84d7caa269c91087be3931b64c697aac319c4777ef75e85c5c83e0a28f5f689a3659e4dfa72254a257908a9691fc8fb8cc9a095583daf1bdd297c49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\prefs-1.js

Filesize
6KB

MD5
f355fb78be459f99cac32d78ca6a758d

SHA1
b303f62d8f3574a412f21f2dc64f1f96efe5eac1

SHA256
1f6cd01afbf7dd2606a120064856726fbb56f1511d4f64c1deef7b915eaf8c3e

SHA512
9af2b2d2bc8f3fd947cb1202be00c39f61e8b8dc951d890c0ee1e516eaaf656e71c2f5edb8a8e3fdf78336c190f4c00287eb37965ffc2a5cbf69da755434f34d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\prefs-1.js

Filesize
6KB

MD5
4e429f7015cc3ca0dfa8834b8db9bdcd

SHA1
b99f7e636d60acec53e4db6fb679289cd4bec5b2

SHA256
1029d35bda7327bb0d3c68af063a61f31b62fe22aec3e933e06a789aacc61c78

SHA512
2970ba3f621c856d04b24ed2840e03641a4f38976cb17288d3bc1d2fade667da4a2abc6b2c9f40521328135d811a923dcbfa70eddca60fc4a7d892230b20b83e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
77c726f3737ca1168f89f7404c703e52

SHA1
9a06e02b8101a1d96954974ce1d0695bf1aa0f4b

SHA256
4fb83b16724997a0ad3377f925d28dc60325bcc5a7be129d68e396f628ec23a0

SHA512
69a4e28e97aeaec886fc6f500e20dfe2623d17b9bf46983644718428376d58acab4c65a4ef150f554721e9bafaf3767f9d9ec02cf730793376993384912cb351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cbef711a85fa18f915f933a74b71b4e0

SHA1
47b8ef6ea730149393dc6155685a156b0661968d

SHA256
0f2d363e4cd895ce2fac3b403b8ee1d79baae2d770579f597e6ef3bd18b25785

SHA512
8fdf1ebb904affa51e87daf890b2e1c455032511e3f9c57ccde9b8823452d57887821edddda3c8724b2c3632e7d6de363b95c66d9c3cd0c03912b85f067e88dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
cd698f1f75b5d0458b0542b4f46e085b

SHA1
908af5b753c4811359e6915715255ab91e79f12d

SHA256
df8b0584d71174edfdcf84f5f689ec477476efe808dd302f48d62afeddfd8374

SHA512
a927536f309e068c4b2e62a3ac57e3c1cb987c0a35331bfc258bb966b5f303c7eff57facacdeee98ebb8675f09fe96b221cf49f5812fb1a3bbf297d5c51c74dc

Download Submit