31e2ac1d5595bba0ab7edbb7275f3eb35e4f68c640ae7bb8ec35401199efb55c

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W-8EXP Tax Exempt.pdf
Size

123KB
MD5

6277a14af3ddadc765720bf6c0b0cfc6
SHA1

437cb905bb73b67b1e230343ae32923da3b09674
SHA256

c3d48afbd34a08aeb81cee280e1645a84bc06f0351c20704f7dd98694d736475
SHA512

eb3077f74e09a025ceb905ddc4807de5a5836ab6fa141a3e7b8cce13d338534e84077884824a95255901789df005dae3cf34dc2bed693ab9bee5ca10d4022a67
SSDEEP

3072:3nHwIBqfeSiim8BeKC7/tfxjPhaFpxovHKaC:dqGS3sAFMvHpC

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AdobeCollabSync.exeRdrCEF.exeFullTrustNotifier.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeAcroRd32.exeAdobeCollabSync.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe
1564	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1564 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1564 AcroRd32.exe
1564 AcroRd32.exe
1564 AcroRd32.exe
1564 AcroRd32.exe
1564 AcroRd32.exe
1564 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 1564 wrote to memory of 2292	1564	AcroRd32.exe	AdobeCollabSync.exe
PID 1564 wrote to memory of 2292	1564	AcroRd32.exe	AdobeCollabSync.exe
PID 1564 wrote to memory of 2292	1564	AcroRd32.exe	AdobeCollabSync.exe
PID 2292 wrote to memory of 4864	2292	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2292 wrote to memory of 4864	2292	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2292 wrote to memory of 4864	2292	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1564 wrote to memory of 4860	1564	AcroRd32.exe	RdrCEF.exe
PID 1564 wrote to memory of 4860	1564	AcroRd32.exe	RdrCEF.exe
PID 1564 wrote to memory of 4860	1564	AcroRd32.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 2832	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe
PID 4860 wrote to memory of 952	4860	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W-8EXP Tax Exempt.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2292
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
- System Location Discovery: System Language Discovery
PID:4916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84581F322BF9DDCB839F62A1ABA7C1F1 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:2832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8920B0823966789AEE869E75702FB56B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8920B0823966789AEE869E75702FB56B --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
3⤵
- System Location Discovery: System Language Discovery
PID:952

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3DA522406910C41D6EDF5835A51FA241 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:2644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=70FE1F3BE5F1974A0A52B84339F7EBA9 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:2992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB5829A341F2B5EAA314BBF824BA9074 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
- System Location Discovery: System Language Discovery
PID:1768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24DFD9F5ACC095922A6D969386599722 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24DFD9F5ACC095922A6D969386599722 --renderer-client-id=7 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
3⤵
- System Location Discovery: System Language Discovery
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
9a265ce8e7d6fe868399f07ecf09cec0

SHA1
942d3f71d7b9dc419ed221e57664a3bf6bf85ced

SHA256
b94528b1dfb216ab189741c2dca94c6de21a1e58eca38fe59ca0c1b62d65b26d

SHA512
74b574c7b8b42cbf31300bcc106c752e3b5bf63a0ab1a89cd7a7552874a0d3fd67c7817cec0151e6ac12005237de52331e3f2f7abc3b2b0dfc8828804e9cebbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
9cf5252bddf6052adfc673eda2e22fc5

SHA1
aee4ad65453c43c3d48aaed36b58f86572065d49

SHA256
57b51820254b5e69284407274750367b86bd58e0f6719455147e04b651b4696d

SHA512
d67a793c144db196e885db96abb0e13d900430b13cb311d169a29ec7617199a799e9d8121176e8c4df942eb0f1e351055a0eab9490b4fc4e984a101bb111d7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
f348a94281f7b522ab5c3bedd3a5c22b

SHA1
473fea0883eb101ab577c88ad11a69edce0b2f83

SHA256
4369ec7dbb6e479915b93a21d5bf23e5a2cb4ad974d7ef1d7baf32efbdd1f637

SHA512
5508b464e74f05c7b1b5acbe582ec72240c437e17667b17aec763e7bf0d903310577f83683a8d14d5dcef57efd38b2ab6fa686c6fbda3e517e39c39bb6cc3996

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
4761e9e5022ad59232d3ff1d6365fc28

SHA1
2fbb4de0513928aaf315dba85359cc2e475f90d3

SHA256
52089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c

SHA512
3cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d5fdfaf5e0813ba512c3d6785be9fa41

SHA1
723982f8b65118b05a8c3fab44c20d144424fe06

SHA256
75ef8323eab42ba6d5fbfd2e88ff74f5a2a57ab5aa5f1155411d490f0fd686af

SHA512
d7c719947c14f66d817cbba9ee74f8f5855bd769abd3d5c66df3af187ea0480d576f0f0608b1e0f2e7d9304d3a24293be1d10a3676deed27274eb895248e8570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
924666d0d0d0430221d2f4c46c67ea92

SHA1
bcbc20a480123bae418bd13cdae965a778c298a2

SHA256
4fb3e380e49e1b7b0750e9c6f210c6c1924a6e63b3076892ed0e7973b41b8c23

SHA512
f40cec225b5ff396b114a2f93ef2c79207668216a6d7b4c3d4343a4a9fd13e93638e5e3331a9d609395b9b254404aa9b4222dbf926061059a80ec156974f9b44

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
2fc5f015a6845543996d8d02cdd17a80

SHA1
d7de7d5b763943d011f6fbf0dbc677ff38541ade

SHA256
3c95ab9bc66fb9266d5caafc582b97201569af9e01583b46e8abc044d0a21385

SHA512
36469ad7ea67f1f8c9a20cf28b6f0b28a852c53fdbfc2a8349f07190d81a33033deb81d6e88175af9eb499257353ee3cada118de7b55807d7cd277e3a23137af

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
6475e399905aef8c31a3db9368974332

SHA1
363e39b75aebb20b7490ac7d908a1dcf3b9b145d

SHA256
be47e3de2340a13a9013320a188a91e494270c92f54445f34898c938b66b6afa

SHA512
ec76db9e16a93689cb45bb51bfb40af448184a543ce55cbeea465833ab0fcf780b6385d667d0c612f6b87eaee5d8ad54955d24aafb7027d5ee689504cd55b402

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
a1704864c4cf60bee94efcf0bc41820d

SHA1
397b15d6f4e34164f08ee1fb560b32bf02e57181

SHA256
7a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06

SHA512
bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc

Download Submit
memory/1564-115-0x000000000C180000-0x000000000C2CD000-memory.dmp

Filesize
1.3MB

Download
memory/1564-111-0x000000000C180000-0x000000000C42B000-memory.dmp

Filesize
2.7MB

Download