45a33915beee0ae687988d8c5b78c6e05ea897b9b1ff33bf569cb0fb89635cb4

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

offerta DigitEd spa/MaireTecnimont_OFFERTA_TECNICA_250924.pdf
Size

3.3MB
MD5

d89d119c84c5cb14b52df7b6f98cba00
SHA1

73fe5d9ed67b12bd7fdd8d018401216d68d3a14d
SHA256

577a381832b430c2e9d6d6cce444f3079bbb50141bc8b38810a4a9e32accfca4
SHA512

fee0dd91d8fe0f6d5dcd4e15cab770e375a0b51d9553ecdb9b14bbcc2dea241919a7fe9d38d17af5688119f7c5bf52bda9440e7e571468994689aad2e828bd70
SSDEEP

49152:HJA23lY72hvNJM5O84YTXQVJfWIWCBq7OymY+sGBdG8S4rjIsTs2scyMi/CgYnVe:HJA21s2Sn47VRpY+JB9bLTLAM1nVVX0

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2204	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2576	2204	AcroRd32.exe	82
PID 2204 wrote to memory of 2576	2204	AcroRd32.exe	82
PID 2204 wrote to memory of 2576	2204	AcroRd32.exe	82
PID 2576 wrote to memory of 3620	2576	AdobeCollabSync.exe	83
PID 2576 wrote to memory of 3620	2576	AdobeCollabSync.exe	83
PID 2576 wrote to memory of 3620	2576	AdobeCollabSync.exe	83
PID 3620 wrote to memory of 4664	3620	AdobeCollabSync.exe	88
PID 3620 wrote to memory of 4664	3620	AdobeCollabSync.exe	88
PID 3620 wrote to memory of 4664	3620	AdobeCollabSync.exe	88
PID 2204 wrote to memory of 3652	2204	AcroRd32.exe	92
PID 2204 wrote to memory of 3652	2204	AcroRd32.exe	92
PID 2204 wrote to memory of 3652	2204	AcroRd32.exe	92
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 3932	3652	RdrCEF.exe	93
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94
PID 3652 wrote to memory of 4396	3652	RdrCEF.exe	94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\offerta DigitEd spa\MaireTecnimont_OFFERTA_TECNICA_250924.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2576
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A4DC53090613BA1BA91521882DCAD13D --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8A096CFCDCA855B6ECE8BCD394AE9BDC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8A096CFCDCA855B6ECE8BCD394AE9BDC --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=46EB56B0D79EF36FE77CF4490B4DB6E1 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BD734B1467B381255437BD7601074CC8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BD734B1467B381255437BD7601074CC8 --renderer-client-id=5 --mojo-platform-channel-handle=1924 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0FC2436B111E4FA9DCC14CA7E5E7EFF3 --mojo-platform-channel-handle=2536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=39ABC6E575C209F1469C1EE670C9D8B5 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4338573ae258a191955ff2a18c7f1321

SHA1
ee04caf829363a854f0297ae7a14bac624ce7e3d

SHA256
523a3c11703a9f62063aa00f563bf6922bfb9f5f61383a8ca2a46b168e14ec61

SHA512
ddcee5a3caa4cb38fd6c7b54a2621b155c5675737fcbc589b00b14bc4e8c4fb1499008121a1e696bf4511767e8bb3c52f861642dccd19dfc268ab1debc899e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
7aafafd014d174f9fb34376ce463c654

SHA1
a78622c4468e07d914990f2c33a713b0aeddb298

SHA256
30ff1bb834eb8332e05652aed14e1749543d4f3d86aed964ddda5820b67ab120

SHA512
2f8be2cb4b74ab7463dd4be2b3c63e6099e0e1b05f9c9be0905b9648b8eba43ebe211206a5c9d91e1313a5b2f2d16bdedd021a954b4f7d5ee3d403adf2cc2100

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
2791ba208535e33d462c19f43a95986b

SHA1
6195f3dc87e402c704fe98b4bfe9318f215df5c2

SHA256
6da3555381b73e523e82ada7056359b29f93e9dafebcfc85f2c5fcde439b9438

SHA512
d816853991e969a9607b3692b0e3aca9da173c4f5d0e3bf6f66625a7b860770644c55e258652cfd386de6b0d38c9207cc45b76ab4af6359134a2531dfdb476f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
a49fe08fd28cc93bb302ab5769a2c50c

SHA1
edbf707be634747a22cdd1a01bf7ba1cbde0645d

SHA256
380044b1aa1dfa0f2fdc9229ea91aaedceec4acea88d7f07e063b67b33bf66d5

SHA512
5c7012181ff1b04f232e814fb36162f448593de056915d6e0ec8f11cd980c12e015529172fd6be66412eb76d8f6e0ee79534c8755152c5d6eeaa64d2d30423a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
8d282ed142fad85f32837b4eaabc768f

SHA1
426951200294c30a7f3b74addd5a4f93365981c8

SHA256
31956fd3d317e692051dcbde2d708e9122600d74b49b8811f0e97b7f969c4726

SHA512
7464c220882c0dbec1632d3bc3fba337f46080ecb9ae3882ea618afc54d3b891c49b43308becdf2217415358b5bc71cf78420dacb4db0ea0cfb76d3133cb98e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
177910713565cb929271b50918f4ca53

SHA1
050ad6c23b2ce7b57af7c403be5075843b61cb3e

SHA256
479f987ec65eeebf9f7c7232b1a5924f065cb0ac2d20bd6404a9022a3ad94ced

SHA512
32ba44c5b52d82fd0db56527a85130ffeac3bf8d534b455a99a2b52a0432a0bbad49cfc2160c13e86cbd5a4c431933624a105e33ee07ecb410eeaf6f2a0320e9

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
1bbc57c79a3a10c9667b9d8ceab0e2d0

SHA1
467ae0e9d741114e0078caf064bedcb8e8454d76

SHA256
1fa82caf8669b4106fb5031377989c8806f5d0d61561379fcc9fd3e097d3b58e

SHA512
3c5027a5bab74160e49a548bb9a8ee1b67cff36365f2f7d1356bae9b246b88a721c8a1b59092768b37ca1a040bc3efdef32e745990e2e3f69143d8210dae6de3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
ef13088a3c26c4808ff1e949d21181d7

SHA1
c334fa3ceb44f31c43ef711bb577d14a1cae05cb

SHA256
32bc482da99b31a0b70d235f081394d5877a330dbe1c3a6c25914fc85bcff4da

SHA512
006eea838e17e65ca92340442d9109be188f1a6bd103ac63d1e58f6704ba7ce4c8b72c5efba6c83023c74be0e2d958ac2692f5e6be584891136d0cfe8657b9b1

Download Submit