jupyter | ace82e39c0c7bba7b66f589ae8523aeffb1b34aeafe6d2f1f5ed873a0b980936

Analysis

max time kernel
1192s
max time network
875s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
29-03-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powershell-1.ps1
Size

3.5MB
MD5

91928587438750fa827193b6299392c3
SHA1

8a758216da9043e5d21457335c522afe037b3f0e
SHA256

ace82e39c0c7bba7b66f589ae8523aeffb1b34aeafe6d2f1f5ed873a0b980936
SHA512

224e6479f27b0a96363e6c863063b37fe696124a8d5357495bd81a56dc8c74a5c17d5d847acb1f085136406ba69b7503a911e125e8061a3a723f1f84ecc18c2c
SSDEEP

49152:rOZgaPlGsa4cA+szFtMe3Ba0Uyz8JZC37YHt:j

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Signatures

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exeAcroRd32.exe

pid	process
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5056 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1472 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

1472 AcroRd32.exe
1472 AcroRd32.exe
1472 AcroRd32.exe
1472 AcroRd32.exe
1472 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	5056	powershell.exe

pid	process
1472	AcroRd32.exe

pid	process
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe
1472	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execsc.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 5056 wrote to memory of 1472	5056	powershell.exe	AcroRd32.exe
PID 5056 wrote to memory of 1472	5056	powershell.exe	AcroRd32.exe
PID 5056 wrote to memory of 1472	5056	powershell.exe	AcroRd32.exe
PID 5056 wrote to memory of 4984	5056	powershell.exe	csc.exe
PID 5056 wrote to memory of 4984	5056	powershell.exe	csc.exe
PID 4984 wrote to memory of 3664	4984	csc.exe	cvtres.exe
PID 4984 wrote to memory of 3664	4984	csc.exe	cvtres.exe
PID 1472 wrote to memory of 1544	1472	AcroRd32.exe	RdrCEF.exe
PID 1472 wrote to memory of 1544	1472	AcroRd32.exe	RdrCEF.exe
PID 1472 wrote to memory of 1544	1472	AcroRd32.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 4652	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe
PID 1544 wrote to memory of 5080	1544	RdrCEF.exe	RdrCEF.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\powershell-1.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~BH-04918471412496586.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F1CE184735712054CE70BC356DFA5018 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4652

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=532ADE3ABD1BE334F1175A59243BEA91 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=532ADE3ABD1BE334F1175A59243BEA91 --renderer-client-id=2 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:1
4⤵
PID:5080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=20A8629F32FB0CE8BA30A50999AB8E56 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=20A8629F32FB0CE8BA30A50999AB8E56 --renderer-client-id=4 --mojo-platform-channel-handle=2212 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2180998DE23EE53004CFD8F8F1DE5851 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:5096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A068A2795A276D1FA12C734B9997CF79 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7E2F55601D883EE73471B3A733F9357D --mojo-platform-channel-handle=2484 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24gjvkli\24gjvkli.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7232.tmp" "c:\Users\Admin\AppData\Local\Temp\24gjvkli\CSC87C81A097DD1483A8226CC2BB37FF838.TMP"
3⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
0a6b67677727e2e4b8a5e03fcfefd68c

SHA1
af5d7d1961f017dfa2b9bd7f11d98c68e8fc88d8

SHA256
c517ae38151ca951e3e11b1e3cb47ccf71027813f9d2cf8b4b74ca971bb0b30e

SHA512
441e424f69a1a646a767e02e77d053d407e86406b1b7e05e1c98b2d2a67bf212f04fb2e733934a196f7e71aea61febd86ce5a031922e229902b9b2271656ac91

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24gjvkli\24gjvkli.dll
Filesize
3KB

MD5
88965789c6f5ea5f6029d185bf190137

SHA1
5341889fec20c17eb4ea142d4f9c93a0ad1eab6c

SHA256
e728844733c58aab322575fe23acfcabb529136eecba08cdaf343624e0b62280

SHA512
10bb97064e2c45f89e3846548f9c59b03c21c0525e73e2d2151002afa6756f0efe1390f80fd0b72b307c681cd5cca2221726892bfed12d36762c8fd632795ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7232.tmp
Filesize
1KB

MD5
cf855f6697edde21882f2ae371b9a241

SHA1
18de039ce7c9d850df5cce4710d8d76d7aef5389

SHA256
e8f0763625358166072be2112595b4c858f55a6f85d27b4603a8731ba347cfd8

SHA512
979ba46707dff6860bb98b92fe751f12d268d4a1e4ae36fedb00dda060359818f2d63959841d2908e0d8717cb662b1ba3bcad33c3c7324be9729977d1bc0d917

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1b1tdlyb.t11.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~BH-04918471412496586.pdf
Filesize
2.1MB

MD5
3ccb3a9ab45b0f6019c7fcefaea15e8f

SHA1
98366369108260df7c9241f0e380add021346bd3

SHA256
7220bd60f16945e41121098d8acac2793a91ced3362bca0a9f4042160480e661

SHA512
71b59d24d51f09b7f710eff4a691beded43bf7ac651a48458ea342bd5e649d074b2c20de6cb5f19f1a652ad60a51e4667e89399e57db1bacf590d377bc9ffe1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\24gjvkli\24gjvkli.0.cs
Filesize
244B

MD5
b999975748af32dd007ff48814430b26

SHA1
46b54a3e3be2d3497127d67b96b3f6a55d26447d

SHA256
ed13935d6ac43e5ce0419aa7d162dbc70562c02dedacb81d5efdfc609a035c69

SHA512
f8e48caaac395db45ac4c8a899dbd64305dd6f57fcd22919a6d880b035455286d3504b097dca250d4ea283004cb64d47e376901b8fae65f4fa792234dee9f81e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\24gjvkli\24gjvkli.cmdline
Filesize
369B

MD5
4013e382b8a3c31ca123130727879f8e

SHA1
8391c64ca7016f1478d90169671cae787b619cf0

SHA256
140238f41590a14e3b488f63a0804c8817080065d03c52fc21560a958b2e15fb

SHA512
8bc57576a79ad33c7dfcac93d4f633bbe87c457c2bbca0788a1ec1d1eecffa13430fbc4a5b607e7a380ea67df58686c2fb4a5b46a2ba2ccda30e33988bb46d55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\24gjvkli\CSC87C81A097DD1483A8226CC2BB37FF838.TMP
Filesize
652B

MD5
e15021cafbf55152c919cd9a181e7969

SHA1
cf274f01319828327463fd4c36523a33cebde7da

SHA256
7fd230995ac97aa42f385c884e2920178e5f16d17d38b76afe7010667e15e201

SHA512
ab37bd562d9654910820d9bae1b4745df7d83762d44e2eec27d79aaf779fafd25f0d84fd0b5aa4636b286d4b33c21466d854e200f1369b0db79097615379561a

Download Submit
memory/5056-4-0x000002196AE00000-0x000002196AE22000-memory.dmp

Filesize
136KB

Download
memory/5056-10-0x000002196AEC0000-0x000002196AF36000-memory.dmp

Filesize
472KB

Download
memory/5056-47-0x000002196B640000-0x000002196B648000-memory.dmp

Filesize
32KB

Download
memory/5056-50-0x000002196AEB0000-0x000002196AEC0000-memory.dmp

Filesize
64KB

Download
memory/5056-51-0x000002196BA50000-0x000002196BB5C000-memory.dmp

Filesize
1.0MB

Download
memory/5056-7-0x000002196AEB0000-0x000002196AEC0000-memory.dmp

Filesize
64KB

Download
memory/5056-6-0x000002196AEB0000-0x000002196AEC0000-memory.dmp

Filesize
64KB

Download
memory/5056-5-0x00007FFFA5460000-0x00007FFFA5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-182-0x00007FFFA5460000-0x00007FFFA5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-188-0x000002196AEB0000-0x000002196AEC0000-memory.dmp

Filesize
64KB

Download