a28bcfadda71870abd810fb076feccfa751f9c8e112bb8b6289d01fea6897bc0

Analysis

max time kernel
299s
max time network
256s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
17-06-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28232401391882024.pdf
Size

244KB
MD5

3b793df5dc95fcfb363ff935e4a15006
SHA1

932d27ead60591f873fe708239b09a92490bdee7
SHA256

a28bcfadda71870abd810fb076feccfa751f9c8e112bb8b6289d01fea6897bc0
SHA512

7aac9f4c052991dbe1a6ebf85f228fc1479ec9bdac8367287fc0d3bd143854f42b1b59bf4be49db946508d288997bbd8a76456b92cb424490035ea7c4b57f062
SSDEEP

3072:35vvx/ajB+i+Bo1N6U69KEBCSV8gCTQpT5Q:5oo0N/696SV7Q

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	firefox.exe
Token: SeDebugPrivilege	3888	firefox.exe
Token: SeDebugPrivilege	3888	firefox.exe
Token: SeDebugPrivilege	3888	firefox.exe
Token: SeDebugPrivilege	3888	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2744	AcroRd32.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
2744	AcroRd32.exe
3888	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4112	2744	AcroRd32.exe	78
PID 2744 wrote to memory of 4112	2744	AcroRd32.exe	78
PID 2744 wrote to memory of 4112	2744	AcroRd32.exe	78
PID 4112 wrote to memory of 900	4112	AdobeCollabSync.exe	79
PID 4112 wrote to memory of 900	4112	AdobeCollabSync.exe	79
PID 4112 wrote to memory of 900	4112	AdobeCollabSync.exe	79
PID 2744 wrote to memory of 2356	2744	AcroRd32.exe	80
PID 2744 wrote to memory of 2356	2744	AcroRd32.exe	80
PID 2744 wrote to memory of 2356	2744	AcroRd32.exe	80
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 4492	2356	RdrCEF.exe	81
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82
PID 2356 wrote to memory of 5096	2356	RdrCEF.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\28232401391882024.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4112
    3⤵
    PID:900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      PID:5048
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2FC2547AC45DB945DA9DE35B3AAF287A --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4492
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=72495A53C9C4AB25194905533FFA58E3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=72495A53C9C4AB25194905533FFA58E3 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5096
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1C60C9CDF43B02EED95892F0E6B1A268 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2548
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A508B71B8A114C67070BDDAF7A0FC145 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2108
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A133F0AFDE23602C9C030E47D706209E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A133F0AFDE23602C9C030E47D706209E --renderer-client-id=6 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3312
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=61D5BF491E93D51A1119A77A7A68EC5A --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.0.1091879685\1190462646" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d55b29-7695-4a6f-a816-b9f92414a1b8} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 1856 215978ef258 gpu
    3⤵
    PID:2144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.1.373806017\1062914191" -parentBuildID 20230214051806 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed995a71-3c05-4dad-8c68-dad96c5d56d9} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 2380 21584685958 socket
    3⤵
    PID:3216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.2.1249467330\660931054" -childID 1 -isForBrowser -prefsHandle 2796 -prefMapHandle 2904 -prefsLen 22213 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50e9c664-7128-4424-92c4-3259aad8b44d} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 2808 2159b706a58 tab
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.3.1697383118\1132247643" -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3512 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2b030aa-689e-4440-87af-5f0183454c2c} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 3548 2159de99f58 tab
    3⤵
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.4.1463098701\138562397" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {438b3b2f-5e8e-458e-aa96-8a4f00faebe7} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5020 215a097fe58 tab
    3⤵
    PID:3400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.5.1256886553\1159699418" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c86eb876-f2e2-441c-b6b2-061c885b050e} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5176 215a097f258 tab
    3⤵
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.6.580042847\1262217690" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1312 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4b4a261-cf87-415c-8c53-37b04a9d4434} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5464 215a0520b58 tab
    3⤵
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
d23348eeb03e88243d895bf01971c7a3

SHA1
b2c9df89ef13984d9ad13ccfaf55e98f7423b51f

SHA256
6aa8d17d290d0f13131d64b935e217cbfa8e9ac0dc60bd4f85bcabc22026da2a

SHA512
90065ae00a21bffd195a078d8d892998571b1e1f573bbdf12b249d9b7ea8d9f3efe8ad01b63d88a72b1fe50f6c667b52acf0ec43ff8c3da1b71b12e62493d5f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
bf970a670b0edeec76878167ce177b90

SHA1
2c7605bdb73279712a38d5901581a7c85be1ecb8

SHA256
4836338ea3c68e70e280421ffdd5509a76d067d039227b54c1b151ee95aeb31d

SHA512
5431ac59e1141de0f233b57ca55ccff397f5851bd4acfa5185714afc4f23f2ceab5eecfc34b4575aefcb7fd04548359fbdc64acf7073adc937cdf377b3cd2480

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
7d6fce0292018ad0f6c6113f83e99e04

SHA1
3a430c41eab91c77948d4e61b037948c623dfdf1

SHA256
1cf5df582d2a164fe6e72574b0e78432cfbd457e5f33f15a82ee3d579d444abb

SHA512
ccdcfe37f953b44bf835f78308b3c10baf90c44e47e54230d3470bc0bd60dae70849c8a8ef43dd48a094660fccf69e4ef56e3857908b50c3336b4517922b66a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
dd0bb7338c28455268e36dd6e11375a9

SHA1
e51622a3fb4ac363470bc30646fc0a4a01f85574

SHA256
a020245d233a61eb424110e42681c40082d9074ab8ba5527c3aedcd0198c76f8

SHA512
5d2aa50281799a46bd6e489359c66e1d15e1cd94862e85417b878a5226883c8dd0c3647056245a3789bef280f2af07d03534b5a7f66f8315d486f0d6fa96806d

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
ef3a1c520c7f327e0a7f8b1f052b8293

SHA1
f2363801bf2392d1e0cfc144d35fe02ca4bc5ef6

SHA256
99ccca5f94d3bccd7e59c098d8ede3145373f36bfb8a5803f0c29a36d0621cae

SHA512
0390ccdc064788a9e6231722a2486bea4360dfc8a6419c2278263a0cc4d03c603a2744fd6d8aa9da1f41cd584a9d7748e8a2c46d0a5789d3839d3212ac4a9050

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
f2b09c9bbac325d8e217f707b3bb88d3

SHA1
368bc7eda64c9f49b8265a6ece4674143cb535e6

SHA256
009f0a6c6e6d015411b22f2c51274ce06abb8db3cd413a531c1506f5c921ac44

SHA512
fe5d325eb058c1f373aa01090327924e53bda500edc3cc62c2c652f94a7e209b69721e220a89ad3e3c7709142d4632b89364c4798d1a6c89f505def0b7ed315e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

Filesize
7KB

MD5
8df663b27e958b3fed3ad17ab43b7782

SHA1
03a040270363b5932cf91b0a9b4a09cac63895aa

SHA256
760f58347efe7b029a6f18427573e370376f34ecf0fb27fba92e1d88f5cac5ab

SHA512
6bcba810318388b6890c50aeabbe1411e934279060a3c930220d5ca5cf8e42e4566c5e34af8cb83dd3d34eee0d55f0d316857b09aa0a8d38be649aba5e5dbded

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js

Filesize
7KB

MD5
168af5f88e38e53ed6ec733106c296ed

SHA1
fe77f7a5b111e1466e9844d81efa3888015a03f9

SHA256
65837a1f641c5723fafb404788596219b274f9c909d6b6d6274c3e5a70e202bd

SHA512
720c093abed9c8d2a947d0b59393e7af8aab400c038e68d7dbea4379612bc9bafd7f57b3322ff7c8e0a9f755713dcb85110a22f5e5b9f4a6fc549ed2c3b4619a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5e44995cebecceeec54580eecb16d443

SHA1
28ff7f12f99e620e0f41f499d9b8556a3a02cec8

SHA256
6d53e61b3264eec53dcd7957243ec6d3b690c01d2231f178817d911a8e82ab56

SHA512
7f162cce9e4961740f13000e73b5263534683ab424bb90385bc0b5ff38219bd736964965b6d967c7576f138e8ecc9165857739896528ce864e6d25930fe765b7

Download Submit