cobaltstrike | 0a22b3cc61f95750df85f0abec5ca0d0d9e917c1924b4003e3c58a1e17148847

Analysis

max time kernel
287s
max time network
291s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05-12-2022 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Attachment.iso
Size

822KB
MD5

1ff6225f783595cf3a0c11720fa945d8
SHA1

4d71522a9cbf2f050f1b369f18351f6eec89b46e
SHA256

d0d1b77c34afe7bec255227fc946e32890e7f6abff67e913d7ef4ea5e33efacb
SHA512

3074e2212e10ac32b5bee3eca1ce9b324a85c5866b24c0086838b5ce336c380276f0616befe6c0c10d9cbdd1c95ed9c6de5eb3f3101d4f91cccb890f74b7b669
SSDEEP

12288:3hU0sdb34MkPGI4MpPBrCi1y05XlXNgLZRwUm14nY:vpki13jgLZRwUm1v

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 14 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
17	3060	powershell.exe
20	5048	powershell.exe
25	3060	powershell.exe
26	5048	powershell.exe
27	3060	powershell.exe
28	5048	powershell.exe
29	3060	powershell.exe
30	5048	powershell.exe
31	3060	powershell.exe
32	5048	powershell.exe
33	3060	powershell.exe
34	5048	powershell.exe
35	3060	powershell.exe
36	5048	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\295.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\295.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\ContainerID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exeAcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 3 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3352 NOTEPAD.EXE
2304 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3060 powershell.exe
3060 powershell.exe
3060 powershell.exe
5048 powershell.exe
5048 powershell.exe
5048 powershell.exe

pid	process
3352	NOTEPAD.EXE
2304	NOTEPAD.EXE

pid	process
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

cmd.exe7zG.exepowershell.exepowershell.exe

description	pid	process
Token: SeManageVolumePrivilege	2584	cmd.exe
Token: SeManageVolumePrivilege	2584	cmd.exe
Token: SeRestorePrivilege	5060	7zG.exe
Token: 35	5060	7zG.exe
Token: SeSecurityPrivilege	5060	7zG.exe
Token: SeSecurityPrivilege	5060	7zG.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeIncreaseQuotaPrivilege	3060	powershell.exe
Token: SeSecurityPrivilege	3060	powershell.exe
Token: SeTakeOwnershipPrivilege	3060	powershell.exe
Token: SeLoadDriverPrivilege	3060	powershell.exe
Token: SeSystemProfilePrivilege	3060	powershell.exe
Token: SeSystemtimePrivilege	3060	powershell.exe
Token: SeProfSingleProcessPrivilege	3060	powershell.exe
Token: SeIncBasePriorityPrivilege	3060	powershell.exe
Token: SeCreatePagefilePrivilege	3060	powershell.exe
Token: SeBackupPrivilege	3060	powershell.exe
Token: SeRestorePrivilege	3060	powershell.exe
Token: SeShutdownPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeSystemEnvironmentPrivilege	3060	powershell.exe
Token: SeRemoteShutdownPrivilege	3060	powershell.exe
Token: SeUndockPrivilege	3060	powershell.exe
Token: SeManageVolumePrivilege	3060	powershell.exe
Token: 33	3060	powershell.exe
Token: 34	3060	powershell.exe
Token: 35	3060	powershell.exe
Token: 36	3060	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	5048	powershell.exe
Token: SeSecurityPrivilege	5048	powershell.exe
Token: SeTakeOwnershipPrivilege	5048	powershell.exe
Token: SeLoadDriverPrivilege	5048	powershell.exe
Token: SeSystemProfilePrivilege	5048	powershell.exe
Token: SeSystemtimePrivilege	5048	powershell.exe
Token: SeProfSingleProcessPrivilege	5048	powershell.exe
Token: SeIncBasePriorityPrivilege	5048	powershell.exe
Token: SeCreatePagefilePrivilege	5048	powershell.exe
Token: SeBackupPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	5048	powershell.exe
Token: SeShutdownPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeSystemEnvironmentPrivilege	5048	powershell.exe
Token: SeRemoteShutdownPrivilege	5048	powershell.exe
Token: SeUndockPrivilege	5048	powershell.exe
Token: SeManageVolumePrivilege	5048	powershell.exe
Token: 33	5048	powershell.exe
Token: 34	5048	powershell.exe
Token: 35	5048	powershell.exe
Token: 36	5048	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zG.exeAcroRd32.exeAcroRd32.exe

pid process

5060 7zG.exe
1932 AcroRd32.exe
3404 AcroRd32.exe

pid	process
5060	7zG.exe
1932	AcroRd32.exe
3404	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

pid	process
1932	AcroRd32.exe
1932	AcroRd32.exe
1932	AcroRd32.exe
1932	AcroRd32.exe
4520	AcroRd32.exe
3404	AcroRd32.exe
3404	AcroRd32.exe
3404	AcroRd32.exe
3404	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.exeAcroRd32.exepowershell.exeRdrCEF.exe

description	pid	process	target process
PID 3060 wrote to memory of 1932	3060	powershell.exe	AcroRd32.exe
PID 3060 wrote to memory of 1932	3060	powershell.exe	AcroRd32.exe
PID 3060 wrote to memory of 1932	3060	powershell.exe	AcroRd32.exe
PID 1932 wrote to memory of 4008	1932	AcroRd32.exe	RdrCEF.exe
PID 1932 wrote to memory of 4008	1932	AcroRd32.exe	RdrCEF.exe
PID 1932 wrote to memory of 4008	1932	AcroRd32.exe	RdrCEF.exe
PID 5048 wrote to memory of 3404	5048	powershell.exe	AcroRd32.exe
PID 5048 wrote to memory of 3404	5048	powershell.exe	AcroRd32.exe
PID 5048 wrote to memory of 3404	5048	powershell.exe	AcroRd32.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 164	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe
PID 4008 wrote to memory of 4696	4008	RdrCEF.exe	RdrCEF.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachment.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Attachment\" -ad -an -ai#7zMap5938:100:7zEvent29960
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -windowstyle hidden -command get-content 8969122ef3485d.log|out-string|iex
1⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Attachment\document.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F8052C1B3809711B02134207C443216F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F8052C1B3809711B02134207C443216F --renderer-client-id=2 --mojo-platform-channel-handle=1596 --allow-no-sandbox-job /prefetch:1
4⤵
PID:164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C600BA8914FD9E9E49313555BC669C15 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4696

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2B203EF3E84831FC87CCE980A8A611F6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2B203EF3E84831FC87CCE980A8A611F6 --renderer-client-id=4 --mojo-platform-channel-handle=2092 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -windowstyle hidden -command get-content 8969122ef3485d.log|out-string|iex
1⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Attachment\document.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Attachment\document.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4520

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Attachment\8969122ef3485d.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Attachment\8969122ef3485d.log
Filesize
23KB

MD5
914dd9891afe574b611e2e38a162ae1f

SHA1
ad4c9126bcf2e534cd355107c301d01832889610

SHA256
304d6a87f624d74df2bf37c458b2f06c525aad947886413befac892c1d89a394

SHA512
33a70a75e956bcdb70c22b27c2f3044d6c527e3a10446cb6654431ecfbe326d69631b8ad61bb8f8bc8399f6122bdc229dfc01a607cec38587d39dccc67dd902c

Download Submit
C:\Attachment\8969122ef3485df.log
Filesize
420KB

MD5
06b8feae2c9d9f2940cb9dca40d553c3

SHA1
b246ed8055ad9e7bb760795e054224d406ec8a20

SHA256
93b0f19011468a4864c114bcbcfc55f460e2c789b14ea893c26ce450d3c21a9e

SHA512
d0285b2a638ff76fe846f41118c7e6e2ac741ab071ec63432fc8406b181ebf187c0d77f45740eb26a193f348b15db478a7d6c96c6f92df6a7464b46c9a3f6818

Download Submit
C:\Attachment\Attachment.lnk
Filesize
2KB

MD5
4f86eb0c1fac722e4c7b4f6f089bd127

SHA1
9d459b6ebc01d6e937785e1e118000bebdd3f700

SHA256
89a1a6cb000a66b841ad26a8d0d5af507cc17efc00a109d61d52a65caa4cef43

SHA512
c8f1d53629d14ddbe84b6878104a773e7a1bd8da47ab2b3d5ac04955916978bd79db0a9c3a94652889580344cf21416d7791b2982afeb7da5839ce33c7cc76a0

Download Submit
C:\Attachment\document.pdf
Filesize
10KB

MD5
8a7cadbe3c40344007c5334b41f0e8cf

SHA1
fbc916f065157cc5a13f22453c19f7dfecc3c228

SHA256
3902e1734b1d0187d3404dafa4616212342630cb46913242060f485e58201a75

SHA512
8c5e0d7a938ac13537041335d5ea185e83e025b6da138c0c3c49794825e873a52c048b08579711a888bae6e9fedc03996dbb5a2696844bb5335b8f96017dcbdb

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat
Filesize
213KB

MD5
8eb849082e565b535238d47b1f5d6b41

SHA1
88be2de349e5ff0a9db05051abf84a5952cabeba

SHA256
08a45cc1e94cc381c9895f7e2fa5df1fe7e9a2db0ea849205107fe69aa2b8ef9

SHA512
e9781778332a0522bbffd502c6cc451bd840e9a5ab45c123b1afc16a554ae9c9cb7ce1e39c7425ee31971ba214b134720d5c87de565f4b5c30238aeb25f89895

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store
Filesize
10KB

MD5
4aea452713333cd65981888f0dc7be4e

SHA1
d49c69aa4b5ba939b502f4e60d38b450d3de8e6f

SHA256
e7f7c446e12cf95c6b49172f46dfdaa4fd99f76b09110b26f18ab810a8fefeff

SHA512
eadfc5ba926ef93874dc2006a0600f7e712fb09769a8122bcd5e0b8c6c9669d7e1d376dcf96779a2ad5c752b875b735e92f2bd45a3abe840bc522b26bec295dc

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei
Filesize
23KB

MD5
31bced9502ed4be2d1b213844d87e83e

SHA1
efe383d157dce8d9769258f38b2e94605997c7e4

SHA256
3b9c2d4459c877744381b4d43bf519cbbc476ba3030e2774b65efe3dff792797

SHA512
2c403bc2e392840091b0bcef2336213102e0b36ce2e4771e7f94d7f40d918975933957a22e4c440687f7a8a461f77dd06f94b768e6d099589805db8bc51fa0dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80576f709de8a7c8.customDestinations-ms
Filesize
4KB

MD5
18959bbcf51401449a173beedce8aaf0

SHA1
0f858c4b18f57f520203c707342c2a3e5a6004c5

SHA256
24190665f80269e5bd8ea5d05a19016c86a01d27ff95c5ede494d3db8077797c

SHA512
ccde75da49748b09bfffbd521eed65f6192c03d756ff9376da93d556f062f0b3d2a7506bf8cd791b5e534e0baca80e3d1d868c2514d1cd7e76fa161d50aaea4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\295.lnk
Filesize
2KB

MD5
9f1300da55efd9e9335801622ffa7b8d

SHA1
73a31ed10ff6922f29c15b208f5a413b347dea64

SHA256
c6b4ae83818e82ee213a8f7ffbaa0c2484eaf9cee46fa134c72f89810c40b6c9

SHA512
19f42883338c45135261a3695d2671c268f384b715e2122e7d99416b4592bb613de6745e56d1707bd097cbe4dcde682cc024c60dd3c9f45f00dc402c98f2cf68

Download Submit
memory/164-595-0x0000000000000000-mapping.dmp

Download
memory/1284-745-0x0000000000000000-mapping.dmp

Download
memory/1932-217-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-224-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-188-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-189-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-191-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-190-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-192-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-193-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-194-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-195-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-196-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-198-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-197-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-200-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-199-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-201-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-203-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-202-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-204-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-205-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-207-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-208-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-209-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-210-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-211-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-206-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-212-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-213-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-214-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-215-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-216-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-186-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-219-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-220-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-222-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-223-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-221-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-187-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-226-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-230-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-232-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-233-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-235-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-236-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-234-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-237-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-238-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-239-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-241-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-247-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-250-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-180-0x0000000000000000-mapping.dmp

Download
memory/1932-181-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-182-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-184-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-183-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-252-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-185-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1932-245-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3060-129-0x000002985B430000-0x000002985B4A6000-memory.dmp

Filesize
472KB

Download
memory/3060-835-0x000002985B8E0000-0x000002985B920000-memory.dmp

Filesize
256KB

Download
memory/3060-832-0x000002985B8E0000-0x000002985B920000-memory.dmp

Filesize
256KB

Download
memory/3060-123-0x0000029859200000-0x0000029859222000-memory.dmp

Filesize
136KB

Download
memory/3404-442-0x0000000000000000-mapping.dmp

Download
memory/4008-377-0x0000000000000000-mapping.dmp

Download
memory/4520-249-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-244-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-242-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-248-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-246-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4520-251-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/4696-603-0x0000000000000000-mapping.dmp

Download
memory/5048-834-0x0000024E7B9A0000-0x0000024E7B9E0000-memory.dmp

Filesize
256KB

Download
memory/5048-836-0x0000024E7B9A0000-0x0000024E7B9E0000-memory.dmp

Filesize
256KB

Download