afa26a1246b862c2c3624c21d9927da595337795057c9ea01dce158986be01cc

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7179f4680f56197b3dad6bc4dcc370N.pdf
Size

89KB
MD5

ac7179f4680f56197b3dad6bc4dcc370
SHA1

e148d74112d875f670c8740899eb0b1a218f154e
SHA256

afa26a1246b862c2c3624c21d9927da595337795057c9ea01dce158986be01cc
SHA512

d25af31870be1aa61dfdbfe3cb129323627f75f53a34df7988516430df8da3b7fc79e79e3695476891e7eaa6a22a4ce259da7ab137597fa8a1bc3c8db5601413
SSDEEP

1536:UPAE69U8vekB83f3bxRrlL/S5JjX342xSzSGQUZQ:G662TBsfdRrxq5JUASzSGFi

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4952	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe
4952	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4960	4952	AcroRd32.exe	88
PID 4952 wrote to memory of 4960	4952	AcroRd32.exe	88
PID 4952 wrote to memory of 4960	4952	AcroRd32.exe	88
PID 4960 wrote to memory of 3324	4960	AdobeCollabSync.exe	89
PID 4960 wrote to memory of 3324	4960	AdobeCollabSync.exe	89
PID 4960 wrote to memory of 3324	4960	AdobeCollabSync.exe	89
PID 3324 wrote to memory of 4292	3324	AdobeCollabSync.exe	95
PID 3324 wrote to memory of 4292	3324	AdobeCollabSync.exe	95
PID 3324 wrote to memory of 4292	3324	AdobeCollabSync.exe	95
PID 4952 wrote to memory of 320	4952	AcroRd32.exe	99
PID 4952 wrote to memory of 320	4952	AcroRd32.exe	99
PID 4952 wrote to memory of 320	4952	AcroRd32.exe	99
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 2328	320	RdrCEF.exe	100
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101
PID 320 wrote to memory of 5020	320	RdrCEF.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ac7179f4680f56197b3dad6bc4dcc370N.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4960
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:4292
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B384B340EBE228B4EA16693424BB0DCC --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4BD5DBCA0A53F6C845A38243DBD65F4E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4BD5DBCA0A53F6C845A38243DBD65F4E --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D4EC691B485B5C209F9C26F1D2E5A3A0 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A9A90D53E0A09FF9C3ADD95BD4156EAE --mojo-platform-channel-handle=2384 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3240
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43F6DA2BCF23971881C627083C82A74A --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0723FC5BDF2BC2BB87004AB7C43F611D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0723FC5BDF2BC2BB87004AB7C43F611D --renderer-client-id=7 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a531e85aea7fc10d568cefd8263597e4

SHA1
5b310270c167ddfb711dd71183837b69bddfb9b3

SHA256
d98af2dfb6521fad5d609051458f1bb0ff5b36f145bc306f0ab1850735d6bdef

SHA512
dd29a5e9c6c5420c086c9eac9bf534ddf492efaafe842a8b187b540ba9003f6346342b21b672e13c42e29dad26a4f39261b45edc5d9818a90694ea71e607b4d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
30d8c3cb1e51d0c671d186e6d6fb5b93

SHA1
88cc6f4b1697b6bb26b36c25fa011b901a6e90d2

SHA256
73c8f6d2fe230d6cb99484562d05d2858475bd56893dec1daadb342e78ca3ad1

SHA512
824101d92002035e1fbef7f9935872325acc75ce509e7a504462b54a79564189f42e9cda846118ca63c5c23defe0712279e609291db0212f8395a21585eb336c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
e4b2877466846bb827a54ceb8c3b70d3

SHA1
dcb7d072ef22b9a85e3e71f21a3c098030f1b5d3

SHA256
65fe14c3230761f4f9680bf91bd956cfd27adb0b3c32f25834b6bedf05c21bc5

SHA512
840305e8614bac2ec24b8b93b912b12b010faab9e98759e1bc7fec8878b49442aac3c1d5d901417425e13971109508c4ce7cb0d8c4d4e1aeb6daaf1d11ea99ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
289c7919c0c7ba7876ff872001a56f18

SHA1
cd4339ef3229b0548e012c528a7bfe795e0902dd

SHA256
9331f15e903dfefbce6bcf608cdda1f3adb0b73442f59ec076342278d810adc4

SHA512
bf99220eb9936f20af784431af8d93eb2bd17d3cf467bb5374754c39758a27e43699a33b7fe4e44b6a103afd8c7281cfd93c2e444c97622714a27bee71e26f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
4761e9e5022ad59232d3ff1d6365fc28

SHA1
2fbb4de0513928aaf315dba85359cc2e475f90d3

SHA256
52089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c

SHA512
3cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
19b99c835892308701e310fdd3c2702e

SHA1
0322888d289ad5dd9b8e9d4e27b2c73f36548f04

SHA256
2baf3e098cd513b186bbf46141c1e43414ceea8dc526209399ef9116bdfc4aca

SHA512
3129378399d741dc71f83c91d671bf409132d3c6828592cc374c52ebcb55943da7ed6473b5a6b046907f26152b01a430ce537a4431ec74af92871435f0275a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
6c1a12687252b351f11fccfdc98ff396

SHA1
b686dd996072b15cabaa2a8062d9b90610b25433

SHA256
08a13f069fa5c88879a74d9bb08f21eb38bf14933f272776ed0ee7d91880c428

SHA512
0583606179dc8a3b83485517abea09ec1cac7b491805299beedefc8df1ba4c9bd310ae563e6ad74ac36929a6464682f435a2c76ccb534fa30cce887b46bd646b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
cf11fc987ef7f37c602e1fc03f744b50

SHA1
6d1188316653bfe634b8650086803b6a73bf8b4b

SHA256
d91f9152c15c5c1a033bfb756499bc80e68c3604572fd14cc1d15801c932eb4c

SHA512
85b0013e8b350f0d76cb218ce3bc86382059583655cc6e334e6da0d17e541a850bd64b976ca6c41f133e174311121f57f280edfb72bb4e66fbdbd79ac1e29bcd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
a1704864c4cf60bee94efcf0bc41820d

SHA1
397b15d6f4e34164f08ee1fb560b32bf02e57181

SHA256
7a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06

SHA512
bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc

Download Submit