jupyter | ace82e39c0c7bba7b66f589ae8523aeffb1b34aeafe6d2f1f5ed873a0b980936

Analysis

max time kernel
1194s
max time network
1174s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powershell-1.ps1
Size

3.5MB
MD5

91928587438750fa827193b6299392c3
SHA1

8a758216da9043e5d21457335c522afe037b3f0e
SHA256

ace82e39c0c7bba7b66f589ae8523aeffb1b34aeafe6d2f1f5ed873a0b980936
SHA512

224e6479f27b0a96363e6c863063b37fe696124a8d5357495bd81a56dc8c74a5c17d5d847acb1f085136406ba69b7503a911e125e8061a3a723f1f84ecc18c2c
SSDEEP

49152:rOZgaPlGsa4cA+szFtMe3Ba0Uyz8JZC37YHt:j

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Signatures

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exeAcroRd32.exe

pid	process
968	powershell.exe
968	powershell.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 968 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

352 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

352 AcroRd32.exe
352 AcroRd32.exe
352 AcroRd32.exe
352 AcroRd32.exe
352 AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	968	powershell.exe

pid	process
352	AcroRd32.exe

pid	process
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe
352	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

powershell.execsc.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 968 wrote to memory of 352	968	powershell.exe	AcroRd32.exe
PID 968 wrote to memory of 352	968	powershell.exe	AcroRd32.exe
PID 968 wrote to memory of 352	968	powershell.exe	AcroRd32.exe
PID 968 wrote to memory of 3332	968	powershell.exe	csc.exe
PID 968 wrote to memory of 3332	968	powershell.exe	csc.exe
PID 3332 wrote to memory of 5028	3332	csc.exe	cvtres.exe
PID 3332 wrote to memory of 5028	3332	csc.exe	cvtres.exe
PID 352 wrote to memory of 3044	352	AcroRd32.exe	RdrCEF.exe
PID 352 wrote to memory of 3044	352	AcroRd32.exe	RdrCEF.exe
PID 352 wrote to memory of 3044	352	AcroRd32.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 2452	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe
PID 3044 wrote to memory of 4936	3044	RdrCEF.exe	RdrCEF.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\powershell-1.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\~BH-04918471412496586.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B217C629DD47AFADB27887D7A5CB61BB --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=051692E1C398406664E8DAD8D9AB64AD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=051692E1C398406664E8DAD8D9AB64AD --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F00845919ED7D4C527809A959AD36BE2 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=90BB0CC273D1F29F3CB939A258D03B28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=90BB0CC273D1F29F3CB939A258D03B28 --renderer-client-id=5 --mojo-platform-channel-handle=1996 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2024

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=260FDAD233055A98A1EDCFD824E61070 --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6AFAAC4E68C9D5091A21D3CD212DCCA --mojo-platform-channel-handle=2720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wehwo0mj\wehwo0mj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77A1.tmp" "c:\Users\Admin\AppData\Local\Temp\wehwo0mj\CSCAE4ADF5DB06443C8ABBEFD923BAE62C.TMP"
3⤵
PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
10d5d3502e784e4689b40d0dd89baa8a

SHA1
affd4af6a4f27e06b14f8224c16fde2da722e386

SHA256
6b8d57ad89100a7be3e0e43542b4e8b2f810d14bfcd6d4bc1cb726100c18eff4

SHA512
93ac42ee29ef4861691b994d50afab2c9ef8a8480df01302a9724c68522318635318e71666c830d81992616b6f8286a6d53e22c14e2e108dd53ace535451babb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES77A1.tmp
Filesize
1KB

MD5
f6fd5b274147fd4bb2309e8fd293c1d1

SHA1
0d919ccad1608c76e4bef0eba32c6a3974755b46

SHA256
ee2d6a7233b391ce584fc62c3978917bb329a4a2653a50e5fcaa202334548d05

SHA512
43eadba5f6261aaedd7e9b2ffa30d3ad6ea18ed201aee52162f86a89755970de909bfd47705880920bcd85298db32e5cd53adfd23da6a320e42636a10108864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0d3fnj4e.g4q.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wehwo0mj\wehwo0mj.dll
Filesize
3KB

MD5
05076dc52976494b8e22db1ab8b0e841

SHA1
78c2d5b569ef59475a91aabc75408eddcff00a0c

SHA256
bf906bc20598787289e7970f9e52d3aca6d59922c09a807200063c1cbf046035

SHA512
89f1c8c20ff06de194e5eeb8d40796df2e6881d6bd1f948e0928421ba21adccd13c13b334ff2f89f7448f2ed35b0e4b76315bdae708f84ec4c6571a0418f4f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~BH-04918471412496586.pdf
Filesize
2.1MB

MD5
3ccb3a9ab45b0f6019c7fcefaea15e8f

SHA1
98366369108260df7c9241f0e380add021346bd3

SHA256
7220bd60f16945e41121098d8acac2793a91ced3362bca0a9f4042160480e661

SHA512
71b59d24d51f09b7f710eff4a691beded43bf7ac651a48458ea342bd5e649d074b2c20de6cb5f19f1a652ad60a51e4667e89399e57db1bacf590d377bc9ffe1d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wehwo0mj\CSCAE4ADF5DB06443C8ABBEFD923BAE62C.TMP
Filesize
652B

MD5
898025a2b00ab9edef6d1986555ea17c

SHA1
7fd88a8c91264ad9c2403baca8efc4e2baf39c44

SHA256
c31807560a478ba311ff5a38731703ec6bbe5356c01bf912a08b662b4636588f

SHA512
a89d7d622512f8a9225132497acf921848917f781a707cd0bb8e02f473120357a01ce14b5efa3255b438334ad0df2cb4895a91ee75705786f759b79a60dc8ece

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wehwo0mj\wehwo0mj.0.cs
Filesize
244B

MD5
b999975748af32dd007ff48814430b26

SHA1
46b54a3e3be2d3497127d67b96b3f6a55d26447d

SHA256
ed13935d6ac43e5ce0419aa7d162dbc70562c02dedacb81d5efdfc609a035c69

SHA512
f8e48caaac395db45ac4c8a899dbd64305dd6f57fcd22919a6d880b035455286d3504b097dca250d4ea283004cb64d47e376901b8fae65f4fa792234dee9f81e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wehwo0mj\wehwo0mj.cmdline
Filesize
369B

MD5
5b2cf1950a121981e60003de5697c6cf

SHA1
63c37f33ace38f752c934315e4bc71b667999e2a

SHA256
23e55af30124a16bcda6727f62a4fa7722174659e64b5f015c870d24bcae7b3c

SHA512
e7486a69d8d73d615b4ef39a098bd29a87f2059d98798388262574c968ced935336eb4f0a3eea8985b8fc1a76b8879e6448fbd4d26743258ddc4af3912d96b5e

Download Submit
memory/352-168-0x000000000C290000-0x000000000C53B000-memory.dmp

Filesize
2.7MB

Download
memory/968-12-0x000002156CC10000-0x000002156CC20000-memory.dmp

Filesize
64KB

Download
memory/968-29-0x000002156D010000-0x000002156D11C000-memory.dmp

Filesize
1.0MB

Download
memory/968-27-0x000002156CEF0000-0x000002156CEF8000-memory.dmp

Filesize
32KB

Download
memory/968-11-0x000002156CC10000-0x000002156CC20000-memory.dmp

Filesize
64KB

Download
memory/968-10-0x000002156CC10000-0x000002156CC20000-memory.dmp

Filesize
64KB

Download
memory/968-77-0x00007FF8C2C10000-0x00007FF8C36D2000-memory.dmp

Filesize
10.8MB

Download
memory/968-121-0x000002156CC10000-0x000002156CC20000-memory.dmp

Filesize
64KB

Download
memory/968-9-0x00007FF8C2C10000-0x00007FF8C36D2000-memory.dmp

Filesize
10.8MB

Download
memory/968-163-0x000002156CC10000-0x000002156CC20000-memory.dmp

Filesize
64KB

Download
memory/968-8-0x0000021554590000-0x00000215545B2000-memory.dmp

Filesize
136KB

Download