Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe
-
Size
801KB
-
MD5
fcae8c3823eecebb9b8e0f9f2b9eeb89
-
SHA1
53c49e7458363a22180916f30e6d945081b20d83
-
SHA256
84609f9e443225a23cca8ab6be910c207d220bb430fd543d0724eaae8f7df592
-
SHA512
e92b5187e95a78c7a13f77e36aa9b0c2c144a6404ac6071902fa9e91304f9fb4a2e0c5c56b6accacde432d0626e1f8be00eeb4befa76936c8fbf5eb81c84b480
-
SSDEEP
24576:ANA3R5drXPrfHh2bQA53HU+tV9iKOcuiLbGD:55j2Z1z9b0
Malware Config
Extracted
njrat
20
gold
149.248.52.61:87
165d6ed988ac
-
reg_key
165d6ed988ac
-
splitter
|'|'|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
winonet.exepid process 3376 winonet.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winonet.exedescription pid process Token: SeDebugPrivilege 3376 winonet.exe Token: 33 3376 winonet.exe Token: SeIncBasePriorityPrivilege 3376 winonet.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2644 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe 2644 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 2936 wrote to memory of 3376 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe winonet.exe PID 2936 wrote to memory of 3376 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe winonet.exe PID 2936 wrote to memory of 3376 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe winonet.exe PID 2936 wrote to memory of 3864 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe WScript.exe PID 2936 wrote to memory of 3864 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe WScript.exe PID 2936 wrote to memory of 3864 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe WScript.exe PID 2936 wrote to memory of 2644 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe AcroRd32.exe PID 2936 wrote to memory of 2644 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe AcroRd32.exe PID 2936 wrote to memory of 2644 2936 fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe AcroRd32.exe PID 2644 wrote to memory of 5092 2644 AcroRd32.exe RdrCEF.exe PID 2644 wrote to memory of 5092 2644 AcroRd32.exe RdrCEF.exe PID 2644 wrote to memory of 5092 2644 AcroRd32.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2288 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe PID 5092 wrote to memory of 2804 5092 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fcae8c3823eecebb9b8e0f9f2b9eeb89_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winonet.exe"C:\Users\Admin\AppData\Roaming\winonet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r.vbs"2⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7A5F46B3279FB8ED9F3061D4355AA5F9 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F8CF1B8D0DD1E0745C5AEE6A66D844FD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F8CF1B8D0DD1E0745C5AEE6A66D844FD --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62239FF3BF324B1C2607182832237CB8 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=920085A8C00F482D932B9A3595DE6D6C --mojo-platform-channel-handle=1992 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5D7E9B55ABBF8BEB38E66848C3BD349B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5D7E9B55ABBF8BEB38E66848C3BD349B --renderer-client-id=6 --mojo-platform-channel-handle=1996 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F893C94324AB236BC4715A1C74A79E5 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
64KB
MD5abd4e4e79d0184a5c34f463d68933631
SHA1637869772628af109b6b3859326fbe9b719166a3
SHA256039d9e87eb413655a5b4d8cb11825824162982200a16668dee0eaa07d592a700
SHA5125555bdf475890dafe649d0d18ec7aa8094bd02349d7500ccbb64c6fb825bdd0fc8dee8d6a06bb0d8e3234b0f2a195a9759c4c818efaa70105c644810076a9db4
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagesFilesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\Roaming\director_general_level_border_coordination_conference.pdfFilesize
509KB
MD5a13d8216dc256824b1c1ba7760752b26
SHA1c90d057cfd7e1d42771ff1b6825e91a195a66e23
SHA2561fa89a308f870a441042d1a1ffc0be0e791a843992a22b5ee142343684c171ad
SHA512d1506906265a3a5de6c6c95df54a7b48fd1d16941ae6f0fb7b2f06fb83cfe6fda48d145ab0a9525dc6581abd29d44b5b44a01209e94f64d58f55a3c68a527316
-
C:\Users\Admin\AppData\Roaming\r.vbsFilesize
1KB
MD5052999da1fd40e27f72f97a1792f1c5a
SHA15cd7344606b78bebf071bfdb458ac90b2c328adc
SHA2562545fcbee4cdb94cac171f8242bcfe1b2cdd048864c6f47ce0386d701918104e
SHA51254dfd468414f6125b268d329cf9b10bb347f18d6eb3c822664f138fa2d1251c54a1221979b21f72bbb64db827d50e3ba2dd4c89fe1b9a2f50a3f7f68183c0ab7
-
C:\Users\Admin\AppData\Roaming\winonet.exeFilesize
22KB
MD5d66fac100b4268ce1451c8b5dc2a8817
SHA12e567a9fbac1955a485ba2d6a86700b09362eecc
SHA256eb688e9d721c561fe334147c66679bbd988da10c06704a15f048b97a9f6b0f7f
SHA512f71f538c432147d29ab126dc15a872333867f3fdaa84f8a5b266817390f618e5fb0e2304b5e0d0c859488f79ff45c14fc79adbc1d7fe65ee18693f196ec95356
-
memory/2644-164-0x000000000D3C0000-0x000000000D66B000-memory.dmpFilesize
2.7MB
-
memory/2644-53-0x000000000A570000-0x000000000A591000-memory.dmpFilesize
132KB
-
memory/3376-22-0x0000000073040000-0x00000000737F0000-memory.dmpFilesize
7.7MB
-
memory/3376-51-0x0000000004A90000-0x0000000004B2C000-memory.dmpFilesize
624KB
-
memory/3376-21-0x0000000004FA0000-0x0000000005544000-memory.dmpFilesize
5.6MB
-
memory/3376-150-0x0000000004C40000-0x0000000004CD2000-memory.dmpFilesize
584KB
-
memory/3376-157-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/3376-158-0x0000000073040000-0x00000000737F0000-memory.dmpFilesize
7.7MB
-
memory/3376-159-0x0000000004EF0000-0x0000000004EFA000-memory.dmpFilesize
40KB
-
memory/3376-20-0x0000000000160000-0x000000000016C000-memory.dmpFilesize
48KB
-
memory/3376-173-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB