2d790e5ec355a1a57bf362889ab76e6de3b9852b04d8d4a60c5bc8b5662df25b

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfca659ef61666004b9c4be1744fc2e0N.pdf
Size

120KB
MD5

dfca659ef61666004b9c4be1744fc2e0
SHA1

9d705694b24a7fb09eefb439db5c0a1209994c13
SHA256

2d790e5ec355a1a57bf362889ab76e6de3b9852b04d8d4a60c5bc8b5662df25b
SHA512

811ed719fbc9f77bd963b578a3623694a08873d18768bf2622093c83b2e6ff4f970f3e1cabc24b74af18587e9830f246aba2b0bc308863156af907e77efb76cd
SSDEEP

1536:2ntwuVzGni+Gn5ECHqdip9kzXH0sl0hYnvf2uMnWxLMp6K7phpFwACmBOLgarQ8:UtBRGnifiDxrH0seak5p1DFwjmBOcq3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
836	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe
836	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 3212	836	AcroRd32.exe	87
PID 836 wrote to memory of 3212	836	AcroRd32.exe	87
PID 836 wrote to memory of 3212	836	AcroRd32.exe	87
PID 3212 wrote to memory of 2012	3212	AdobeCollabSync.exe	88
PID 3212 wrote to memory of 2012	3212	AdobeCollabSync.exe	88
PID 3212 wrote to memory of 2012	3212	AdobeCollabSync.exe	88
PID 836 wrote to memory of 3540	836	AcroRd32.exe	89
PID 836 wrote to memory of 3540	836	AcroRd32.exe	89
PID 836 wrote to memory of 3540	836	AcroRd32.exe	89
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 3860	3540	RdrCEF.exe	92
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93
PID 3540 wrote to memory of 4792	3540	RdrCEF.exe	93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dfca659ef61666004b9c4be1744fc2e0N.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3212
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2012
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:4768
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=97C9F0037523C8FDBFE30C00C72CE928 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=639B715AD5E2E4856D845D33CBB1CFE9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=639B715AD5E2E4856D845D33CBB1CFE9 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=005F96496C4CDDA2BBCCAB107F3042A4 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40FABB3063831D9ECFDB78A0C77C5DE8 --mojo-platform-channel-handle=2448 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F3867D702CFE9206A4E615A3BA1CF9BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F3867D702CFE9206A4E615A3BA1CF9BB --renderer-client-id=6 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CB96F58DC49C1B424E9F5F7F1BFBD970 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
555d92ade46ae02cc31e221264724555

SHA1
11d0688f56edeb03ff6610af639a865083238501

SHA256
e2a6e2732228d7c980f7294937a578c68ec9e5b466a4d443fa72ee7009c09c77

SHA512
6b449f7fc486d8d31dbd5c680bd0bcd486a51de40762d6a8de23637fac8e5480ca1d5243a0e5b19c15728741ff7695327eec026c80a45ea0bc683ce152240e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
957d3b098463ca334334a2bc37152044

SHA1
59d612a0da61e29b93c9225a6d463347ab0bd1f5

SHA256
d337f826a622bd1a931aab131e8c6c6c04c9669c39ea429669a4256f7f4ce27a

SHA512
648d6dbc0f3cde0a1ba927cb483fce1574617316a10bf8ad789c8c304e07c2c3adc1f73d469bf37a254b46232b765647d90e89d965e6babe16c7b019538e65ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
d2946344af3b78279e4a91cd4a18ffa9

SHA1
1ed52574f30253d6a919c8dc7f099483b6062936

SHA256
ff8a24561560e78fbae8af61cb8b868f0bb864b30ab6cba006cdede05851f199

SHA512
6e01be737de62928a8a458e90af41d459ea1282b47cc7d5e3346cf22d92d48b90d29a9d0211ec0f9f6a77ccdd08b7f1bd3f35fdb0bebb11ac77bfa173336a48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
201a03b3e4855d8007ef92bdf310bd9f

SHA1
c34df907465cbe40bc27721f8234b10f12b42107

SHA256
fbf200d6e365f8ae7db672add03d995de35e2e145937404ede06c01e94e99580

SHA512
bf9a0a4986b2600f3b1803555c0cdc771c069a12822a043bc1abc828acb48e1a8589bae4abe36f9166f2e4d8ce5ea118797db9dc01da68a97d87debca3c50bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
4761e9e5022ad59232d3ff1d6365fc28

SHA1
2fbb4de0513928aaf315dba85359cc2e475f90d3

SHA256
52089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c

SHA512
3cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
cd70f9ee6afbddb18e7920f8c57c6362

SHA1
3125e9f15526d718f93572645a4712a39442abac

SHA256
f4bc4b1b735be48bb55d4a2465df85c97314e1e347c6e8e43e39e197b1aceeea

SHA512
979d0b5bac76920929d80b4efd142e622ab8aaed2b232959da57313c7cde73e27633677beb0dd8bc1462d114c6e856fe666d6adbab796ceb008f6e8bbb09f37d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
238ca7e488432d00c8c35c7078063053

SHA1
77ed550598be205eee1938c3ebfeaf9873a601ac

SHA256
8ec4eb007a9929d707740a7221630aae64a46ddb448e28e9ad2276745a22a549

SHA512
18e9591a76a6a4dde58c59b30224cd08a4ab3382465ef7dd20a14853a335712ba107502c540613dcda662b560c2a0c6c4ada7b8a41cbfaad09c471fcf49c9c08

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
8e86356e508a870190b8e4eb392a80c1

SHA1
8a4657425bedae4fb0a133595001fe455a1c8efa

SHA256
3c6544b6aa9a4ea45c3d9418a83788b2f1083b8c3dd81b145e985ddad38be1fa

SHA512
01415530da784a652ab9f3c9f72c9f6d6136ba7b5d0bde917348ad0a80ec455f44485d644c1783393d403f17e8e7c6d245f4e35454715b0fa1f24ed7ba66e94d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
a1704864c4cf60bee94efcf0bc41820d

SHA1
397b15d6f4e34164f08ee1fb560b32bf02e57181

SHA256
7a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06

SHA512
bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit