dhq.dll

General
Target

dhq.dll

Filesize

712KB

Completed

13-09-2021 17:04

Score
8 /10
MD5

6e72b76795624c0cd578c24342453c7c

SHA1

7866fe84f3b53267bfe505bcec20467b05a6e074

SHA256

ebb22358cc0ce4bc40c76e1c02df8d304fd0b27e9793c7cbcc02f23b4e3c1c89

Malware Config
Signatures 12

Filter: none

Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    adobe1.exeadobe1.exe

    Reported IOCs

    pidprocess
    2700adobe1.exe
    948adobe1.exe
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/948-151-0x0000000013140000-0x000000001338D000-memory.dmpupx
    behavioral2/memory/948-154-0x0000000013140000-0x000000001338D000-memory.dmpupx
    behavioral2/memory/3644-156-0x0000000013140000-0x000000001338D000-memory.dmpupx
  • Adds Run key to start application
    LaunchWinApp.exeLaunchWinApp.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunLaunchWinApp.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1} = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe"LaunchWinApp.exe
    Key created\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\RunLaunchWinApp.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1} = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\svchost.exe"LaunchWinApp.exe
  • Suspicious use of SetThreadContext
    adobe1.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2700 set thread context of 9482700adobe1.exeadobe1.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    AcroRd32.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0AcroRd32.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzAcroRd32.exe
  • Modifies Internet Explorer settings
    AcroRd32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONAcroRd32.exe
  • Modifies registry class
    rundll32.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settingsrundll32.exe
  • Suspicious behavior: EnumeratesProcesses
    AcroRd32.exe

    Reported IOCs

    pidprocess
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
  • Suspicious use of FindShellTrayWindow
    AcroRd32.exe

    Reported IOCs

    pidprocess
    4000AcroRd32.exe
  • Suspicious use of SetWindowsHookEx
    AcroRd32.exe

    Reported IOCs

    pidprocess
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
    4000AcroRd32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exeAcroRd32.exeRdrCEF.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2248 wrote to memory of 9962248rundll32.exerundll32.exe
    PID 2248 wrote to memory of 9962248rundll32.exerundll32.exe
    PID 2248 wrote to memory of 9962248rundll32.exerundll32.exe
    PID 996 wrote to memory of 2700996rundll32.exeadobe1.exe
    PID 996 wrote to memory of 2700996rundll32.exeadobe1.exe
    PID 996 wrote to memory of 2700996rundll32.exeadobe1.exe
    PID 996 wrote to memory of 4000996rundll32.exeAcroRd32.exe
    PID 996 wrote to memory of 4000996rundll32.exeAcroRd32.exe
    PID 996 wrote to memory of 4000996rundll32.exeAcroRd32.exe
    PID 4000 wrote to memory of 27804000AcroRd32.exeRdrCEF.exe
    PID 4000 wrote to memory of 27804000AcroRd32.exeRdrCEF.exe
    PID 4000 wrote to memory of 27804000AcroRd32.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 39562780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
    PID 2780 wrote to memory of 8642780RdrCEF.exeRdrCEF.exe
Processes 15
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dhq.dll,#1
    Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dhq.dll,#1
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:996
      • C:\Users\Admin\AppData\Local\Temp\adobe1.exe
        C:\Users\Admin\AppData\Local\Temp\\adobe1.exe
        Executes dropped EXE
        Suspicious use of SetThreadContext
        PID:2700
        • C:\Users\Admin\AppData\Local\Temp\adobe1.exe
          C:\Users\Admin\AppData\Local\Temp\\adobe1.exe
          Executes dropped EXE
          PID:948
          • C:\Windows\SysWOW64\LaunchWinApp.exe
            C:\Windows\system32\LaunchWinApp.exe
            PID:3644
          • C:\Windows\SysWOW64\LaunchWinApp.exe
            C:\Windows\system32\LaunchWinApp.exe
            Adds Run key to start application
            PID:3608
          • C:\Windows\SysWOW64\LaunchWinApp.exe
            C:\Windows\system32\LaunchWinApp.exe
            Adds Run key to start application
            PID:1440
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\reader.pdf"
        Checks processor information in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EF25FF816B0C5DF34EBA38BA7E523EF --mojo-platform-channel-handle=1656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            PID:3956
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6B5ACA40193F4923AB836A395585663F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6B5ACA40193F4923AB836A395585663F --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:1
            PID:864
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=30283D475577F1526AF73787DE12A34F --mojo-platform-channel-handle=2068 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            PID:1072
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6E9E63C22FCAE65D32110D31F0CF736B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6E9E63C22FCAE65D32110D31F0CF736B --renderer-client-id=5 --mojo-platform-channel-handle=2208 --allow-no-sandbox-job /prefetch:1
            PID:1808
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5B468DD3659E6FCED98F152892610B6B --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            PID:2056
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B71D5038CE0D64B68736AECB75BF129B --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            PID:3068
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\adobe1.exe

                      MD5

                      fa0469c74632450ff280cda736e3b589

                      SHA1

                      2a125739fc91b38f69c021d8c1e9f66f15da7c1b

                      SHA256

                      9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

                      SHA512

                      291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

                    • C:\Users\Admin\AppData\Local\Temp\adobe1.exe

                      MD5

                      fa0469c74632450ff280cda736e3b589

                      SHA1

                      2a125739fc91b38f69c021d8c1e9f66f15da7c1b

                      SHA256

                      9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

                      SHA512

                      291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

                    • C:\Users\Admin\AppData\Local\Temp\adobe1.exe

                      MD5

                      fa0469c74632450ff280cda736e3b589

                      SHA1

                      2a125739fc91b38f69c021d8c1e9f66f15da7c1b

                      SHA256

                      9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

                      SHA512

                      291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

                    • C:\Users\Admin\AppData\Local\Temp\reader.pdf

                      MD5

                      8dd2a8605148e4e6af1781a9de0d51eb

                      SHA1

                      dbe09e8abbcee0e909a0c44fd494e9952231a1d5

                      SHA256

                      4a9e84a374276202ce4468813331c296e150ad568b3cd20b4d6f71be62d8518b

                      SHA512

                      742f95144ad53c9a7b20888fc0c54144187b82761a335020bad6987489255870d725f35a2d5dd4a84475f735f394f7c79ad322b770f89868c3e5b6d7bfb1a37e

                    • C:\Users\Admin\AppData\Roaming\Adobe\svchost.exe

                      MD5

                      fa0469c74632450ff280cda736e3b589

                      SHA1

                      2a125739fc91b38f69c021d8c1e9f66f15da7c1b

                      SHA256

                      9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

                      SHA512

                      291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

                    • memory/864-126-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/864-129-0x0000000000000000-mapping.dmp

                    • memory/948-154-0x0000000013140000-0x000000001338D000-memory.dmp

                    • memory/948-152-0x000000001338B560-mapping.dmp

                    • memory/948-151-0x0000000013140000-0x000000001338D000-memory.dmp

                    • memory/996-115-0x0000000000000000-mapping.dmp

                    • memory/1072-133-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/1072-135-0x0000000000000000-mapping.dmp

                    • memory/1440-158-0x0000000000000000-mapping.dmp

                    • memory/1808-137-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/1808-139-0x0000000000000000-mapping.dmp

                    • memory/2056-142-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/2056-145-0x0000000000000000-mapping.dmp

                    • memory/2700-116-0x0000000000000000-mapping.dmp

                    • memory/2700-120-0x0000000000570000-0x00000000006BA000-memory.dmp

                    • memory/2780-122-0x0000000000000000-mapping.dmp

                    • memory/3068-147-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/3068-149-0x0000000000000000-mapping.dmp

                    • memory/3608-157-0x0000000000000000-mapping.dmp

                    • memory/3644-155-0x0000000000000000-mapping.dmp

                    • memory/3644-156-0x0000000013140000-0x000000001338D000-memory.dmp

                    • memory/3956-125-0x0000000000000000-mapping.dmp

                    • memory/3956-123-0x0000000077E62000-0x0000000077E6200C-memory.dmp

                    • memory/4000-119-0x0000000000000000-mapping.dmp