b24383ce4aab8beb5478d11371c9871e3bc310677bd4dd279c69f15a3af6f01e

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COPY180921348283848482293942938492929440293482828484-PlDF.exe
Size

1.6MB
MD5

f642324ae68a28add963391319efbf95
SHA1

eaab9e1b9a17dc8f8ea06df13422d851c44ec931
SHA256

f01dbb3e35f1231d4bf6fcdabfe7184950c78f9e8f61b9ba6163a16083e0e1da
SHA512

4037d00a181b651aaa5dd0e2a94e1994475d9e3f490807a4ffaa0c8d3083036db831abeba245bbaac02923cb790607747f5d38d8e3a33ca01e5af882f45ec321
SSDEEP

24576:vFLWY02cjr5yKg7VwmhXt6W6LfJWyvnD19CtSrBFmr7eH:R4XghZhH6z5DGtY

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	COPY180921348283848482293942938492929440293482828484-PlDF.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	ToolBoxMng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ToolBoxMng = "C:\\Users\\Admin\\AppData\\Roaming\\ToolBoxMng.exe"	COPY180921348283848482293942938492929440293482828484-PlDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	COPY180921348283848482293942938492929440293482828484-PlDF.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3148	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe
3148	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3120	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	85
PID 4964 wrote to memory of 3120	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	85
PID 4964 wrote to memory of 3120	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	85
PID 4964 wrote to memory of 3148	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	86
PID 4964 wrote to memory of 3148	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	86
PID 4964 wrote to memory of 3148	4964	COPY180921348283848482293942938492929440293482828484-PlDF.exe	86
PID 3148 wrote to memory of 3816	3148	AcroRd32.exe	88
PID 3148 wrote to memory of 3816	3148	AcroRd32.exe	88
PID 3148 wrote to memory of 3816	3148	AcroRd32.exe	88
PID 3816 wrote to memory of 3388	3816	AdobeCollabSync.exe	89
PID 3816 wrote to memory of 3388	3816	AdobeCollabSync.exe	89
PID 3816 wrote to memory of 3388	3816	AdobeCollabSync.exe	89
PID 3148 wrote to memory of 2156	3148	AcroRd32.exe	90
PID 3148 wrote to memory of 2156	3148	AcroRd32.exe	90
PID 3148 wrote to memory of 2156	3148	AcroRd32.exe	90
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 1632	2156	RdrCEF.exe	91
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92
PID 2156 wrote to memory of 4060	2156	RdrCEF.exe	92

C:\Users\Admin\AppData\Local\Temp\COPY180921348283848482293942938492929440293482828484-PlDF.exe
"C:\Users\Admin\AppData\Local\Temp\COPY180921348283848482293942938492929440293482828484-PlDF.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Roaming\ToolBoxMng.exe
  "C:\Users\Admin\AppData\Roaming\ToolBoxMng.exe"
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\doc5454.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3816
      4⤵
      PID:3388
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
        5⤵
        
        PID:440
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=066A846F2A1FFBBC5AC19598A70A9985 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CD1CDEC1DA2313ACD541044A574824D7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CD1CDEC1DA2313ACD541044A574824D7 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4060
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE0E9791DC2027B89E798E10A2B1AF30 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B265C19F6427AA7B6376976FD2601BF --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:560
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C915FC86AAA2DB3951A5124A7F6D1232 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=77B2F7F1B615BB8E97824D6592FBA5CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=77B2F7F1B615BB8E97824D6592FBA5CA --renderer-client-id=7 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e371f0c8bcde82781439410957ed52ab

SHA1
c88f41ee23c247ed161534f09e05596a51b0cfd9

SHA256
a9ce3d76c309163d1ef1baa394139d86362d686b1168534ab611dce46e7346f8

SHA512
1c83a9bc606035609a164347597bb7877c8f41e3a559600c75552d7bc863b5b55444aecd69876f007145fb3cb76853c7123e7e9a8db31e74d835157203a72e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB

Filesize
24KB

MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
944c64c06e208d3d64748bcb2487ec16

SHA1
8045f44ac3ff340c5bbe7b5d92ab20f4b1f5c3c5

SHA256
f5f776e44ce7337d939472b73d42c895f5f6fccf46bad6391b4d5b4c53b16d06

SHA512
fc0e65a6e468c3a0287071752a4baf44dfe87f45b11a4f13963af16045002681dccc5b22c594ce2a020245dd00c9fe8ed8348b34f3b312edb45b8c73f085eb12

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
f97abfb60ee8a7f6cb41ca8e79096b9a

SHA1
d0ef3bfa346d709cd58c3ae0d6e6d5a18013fcfe

SHA256
a6ac7598a1eac40019533cd974241abc5e4015b5078dfd8bd24dc0142383d538

SHA512
a462fa4b5e9116214d547795c61218212ee586492b78574da1017e6b86da5d53fcaf2a29cae87501880114b115cd6caed0f0356f608071579d17a9ccc30f7382

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
a1debc450b799acc7c002e4410084f52

SHA1
34a9a2d89a217647d55e22537d187485144c6122

SHA256
d303c4ff5cfcca7830d7a12ce6df65b2fde49db31280cd05dfa997c651c8f0e9

SHA512
2633bdc85308a38d661f99bd80ecae61c35ff610f278af6aab9292b334bcb1a9e11d432c8459cd03521692fee0216d3da543b90df30dcc486a8aec0dedfd896a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
86e0951fff9f06b609969b4c7c7fc930

SHA1
4cbd47935d4cb075e79484199cfcde64f6d36db5

SHA256
bc8e0a934e97386dabb16786efa05edf4cafa0ca52a71c2a477a1979baa39588

SHA512
6b124bcd1032724f920abe9aa6bcb4088a170bde90eb95a5e89f9054c0413f9b78f3d8bba0f7b47f73b9f36e016814f8f8cb319d79c3042f6a7f9e974b629a85

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
e899ce827556bf4def25ebad0f863df6

SHA1
1fea4a1a875d2482ecc884f248ca29785c2ff418

SHA256
2f605f8f5dd08c24e6d06ef914deb0715c3b5fb1ec73714e715dbee014f617cd

SHA512
b1f82784a167be9e13e4075ef642ca6a8381a9d5aba31ebed5506353fe6548e3d3dddf6010607e153d42aa157c0d0dba2a910bac71a2df013517c805f907cc46

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
c47ba6ff997e28c608df567cc3f4fe60

SHA1
d6b113fa422700696a78dfe8bd62199f0c9fd8db

SHA256
56a6030cfaa6406213dd2fcd9ed8fe987ce87fe0494cb31ae99ad6a6f395d5f5

SHA512
fc2fd7228fa152038acd0b586306f977e9df02f0d38ff1ffc7fb82f717464139fe809793e80596f48e427a2a1e925581abfa88ceb9bb0c643c6af5b571157d78

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
0f726df9a5d93809b22d3cdc1000802a

SHA1
4ed9186880c5b7413e179ad95e24a4b51db46929

SHA256
88880e532942390b1714067540386f50f5c141ed5ea68dd6e1698c60c7d5eae5

SHA512
8959a422dc7a47537fe27b290f240eb35fe77ad1d5c385f8f77d0f28bafe9be5e2cc7c6882ad0b9d1bab5a11e1a3a6a9d084e9418b6e5989ade90ba956b39af1

Download Submit
C:\Users\Admin\AppData\Roaming\ToolBoxMng.exe

Filesize
1.1MB

MD5
152679974ee4b978d59bc81faac760f9

SHA1
b6ab76d2c2a83a453d8c9780db58b657e52db60d

SHA256
2d03dac56888b935065096036efef5bed5b1891a97183943b50d4f4367b05ab8

SHA512
983829649a551e5897cbb41168a7dee7561a226bb1c918cc82bcf3dcde865f404d8b7c53a26619208d8bcb55c38687bda2dbd5efaa234f512d7283fed2900088

Download Submit
C:\Users\Admin\AppData\Roaming\doc5454.pdf

Filesize
46KB

MD5
9855f780e442620ea1f8eaab59949581

SHA1
56e57c94960f0dbdf7cc6dacdac2ad9d8f0f52fe

SHA256
23c611b5476cf9962f8ec3b15e89c677c2cec39580504ba94d9aa0425b476d2e

SHA512
62bfe970daece2ddd6c593ab79ec3cf8b79e492095bde3b0cf26fb33dfa5f7c0b1b2a12a0796dce64d1f1634e2efd11655f9bd4c60486d3cefc0afe3669d7508

Download Submit
memory/3120-18-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3120-62-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3120-17-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3120-16-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3120-179-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4964-20-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4964-0-0x00000000753A2000-0x00000000753A3000-memory.dmp

Filesize
4KB

Download
memory/4964-2-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4964-1-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download