6e2a71338e9d3f5754de59eb99daca0a524a2ca38e54c15d067f08c96f23e94f

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2a71338e9d3f5754de59eb99daca0a524a2ca38e54c15d067f08c96f23e94fN.pdf
Size

1.1MB
MD5

f5c69b389a6888cc8735d5bbe9e1fea0
SHA1

064085ebc5f04b70e47d6df16c9a6e2ce47091e2
SHA256

6e2a71338e9d3f5754de59eb99daca0a524a2ca38e54c15d067f08c96f23e94f
SHA512

6380c2fe6ccf226f87b9b97ac52d57d4782b51164574b143818ad2f62c7d276e2eed07fd656323fdc5bd6370fc2c43cf5bc9a8b4814d839f4484d1fda0a9c2f1
SSDEEP

24576:1U0DrA6ZwM5TOKWLGGMBs6JE4/9eZsU0DrA6ZwM5TOKWLGGTAZpfd6UxMM:rrA6ZkKGGRoOrA6ZkKGGlaM

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3580	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe
3580	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4616	3580	AcroRd32.exe	86
PID 3580 wrote to memory of 4616	3580	AcroRd32.exe	86
PID 3580 wrote to memory of 4616	3580	AcroRd32.exe	86
PID 4616 wrote to memory of 4940	4616	AdobeCollabSync.exe	87
PID 4616 wrote to memory of 4940	4616	AdobeCollabSync.exe	87
PID 4616 wrote to memory of 4940	4616	AdobeCollabSync.exe	87
PID 4940 wrote to memory of 1888	4940	AdobeCollabSync.exe	94
PID 4940 wrote to memory of 1888	4940	AdobeCollabSync.exe	94
PID 4940 wrote to memory of 1888	4940	AdobeCollabSync.exe	94
PID 3580 wrote to memory of 1776	3580	AcroRd32.exe	99
PID 3580 wrote to memory of 1776	3580	AcroRd32.exe	99
PID 3580 wrote to memory of 1776	3580	AcroRd32.exe	99
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 228	1776	RdrCEF.exe	100
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101
PID 1776 wrote to memory of 648	1776	RdrCEF.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6e2a71338e9d3f5754de59eb99daca0a524a2ca38e54c15d067f08c96f23e94fN.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4616
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:1888
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A6FFEDCA7956311F66F92C748CF39010 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=183D8511FC0D4ED53531B80495D79067 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=183D8511FC0D4ED53531B80495D79067 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:648
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C907BCEC8BE85EA40DE5382493BC0819 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=14ECE0C8B3554E8E77CE5089A62EE1C3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=14ECE0C8B3554E8E77CE5089A62EE1C3 --renderer-client-id=5 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4B43F1EF1BBF7DF945F9D3A8D9282E3D --mojo-platform-channel-handle=2628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1428
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B11F83B062FE0FDCB9B7B2C76F9497C6 --mojo-platform-channel-handle=2660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
d184cd9e78ae37e385ea52c506d7f133

SHA1
47c46ac5670c4c86bca308fa8596aefb14731662

SHA256
7a9063339dde955660ff58bcfd35a88406fd4fc9f18f4cfac4e93c84c3b06c73

SHA512
ba7ce7d10e3f61d17ea734ca7df1d5385c46534b80f51d2d5a492808b74a8495b9aba912673530cd7a10b59809d4824316167fe13fec1fad378b22d7ccab3b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
11a56c2eeaa526528d311effd4cfb39d

SHA1
477ddf9c125be20d41a1b453f290fe5ba9359bee

SHA256
f5e30bb06d11ac84f1b51b1bbbaf74cf62f64b8e767ab881edcaa53891875df5

SHA512
8d8b2945076b2051deeef6910c3f7e13caa07ad7f8f106ef14f66ca98da354d97bc4eacc48007e3bfc5eb838d596ce995a60b104e2567b4621792dc6e1e4c35a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
8c03fef8bb5b21a062782972c86f58c4

SHA1
b5aa6de4d840cd90727410e4535c3eaabb86f685

SHA256
593a0d05463ce63622f55fbf8895735a88ed627579407b05748f1f262c477627

SHA512
b4fde8d1c379f4c110416f8d2c5053c2cd539b399a257ef7ed0d41cfb4a407f53ee05558ed19bd73176e879544bd183b68aacb973081c87f61ef0b91c4c710e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.7MB

MD5
502dd3a5db58e898b572794cced65c2c

SHA1
568af0486c6ae69ac5beeba5b4e92ee92623540b

SHA256
dde2f56bbad161b9a429b100a739e4639c5c91f704dc0b60723a6bb9d0ee9aaf

SHA512
0045efa1d2f4bf8467a4561f3800144f46aab4c5a36bdada9a65c9e177402737e83758900ce9666dc9dc42f6cf8521a056c71e4763fa9ce0a8a3c71893ecd192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
b62d231458ea3582899bb12c967aa658

SHA1
ba1cbe1889adbaa0e24d2d44f8bf5a9264b80b4e

SHA256
c5b8e8a2da485124df0e719baba77f3670e1eed89958173ae177aeb1f2beb0cd

SHA512
d3113c898599db6351bceae85b3354acce757a9d3b6041aa30b5e62a421dcd551341cdcc2b1f96fe2c81d13f7234098f8cd1a249875330f167332732bf0a667f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
68bd98b29b577da6872c4354ec6f22d8

SHA1
83fe212cdc023f49c05eacff9cdbdf1870f03824

SHA256
2937fa9b6cf04c2b02a9cf74e2370a428e38c2f87a9d84d351c4f19258d29ffc

SHA512
02b59c4d7ce003e07d24c4ff96f94b6fa83462f0f011cc36b9db37b6ada5e53ca35af9bfb6bbb6940a8ea4f25b6979344382bff831819ece9ffccebb09cdaea8

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
f23d64c76bf8add9604369fd3203f82b

SHA1
390956b7f252bed01e18f8fe1e98358fd520543b

SHA256
fef197f96a0d02afa6d79d7cba4fc7bc4a5857bffe594e8146df70071f6283dd

SHA512
071f1c35231671ece1b8c0193d54daf5b972c591c0f33753c0b9652f0da53e06f2bf67707e497a9ab3bedd822c57a70dff17dc2a270b6d22063aaa6761290e43

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
e492c6202e398b6eb131680171578053

SHA1
b48976b15679d86a38812766a986c23d5aabc7a3

SHA256
93948066f51f3a7fbc7fb7ce43ce543ed47f4ef259af09e37aed02e10eea7a67

SHA512
9da511ea03a73bdc2b385b20d79d8395aca0f45fba000a01d4cd1c9c9a13c6fe48e1e1568ec8567eae1f29786497a8e820dd9d5ab3da9e68e57216944cf5f679

Download Submit