4726db7fa32f6c204968dd2e4d289d4235254be54fd2150cf7569f91d0b57c01

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Info Enviada DIAN Acta de Visita 08112023/2.EXISTENCIA REPRESENTACIN LEGAL.pdf
Size

174KB
MD5

16749a6017cd4eda7abdd55dd6fb376b
SHA1

4e3d9465cac2c4e0e2749041c403c8c140d7259e
SHA256

600daabda1ee6cdcbe57b35d8ca6b0a22dbb112984ef588609929043311ada14
SHA512

c7dac9332ff083fb9ac6955a6b204dd6b8381cb3f9a83c7f05306cc0234d44960218881fba32162dee04a88d6be5c5b40d2e3aaad58ce41ab497b9ed3afd6a57
SSDEEP

1536:/vA40fUr/qvqLZpOgGphmZMTElb4baUMYC6TcJ8id7zKo07nyqHJFTC4gh6svZzK:nAAPj/aQZ0bPHg57evXHJFTDgbzg6GfD

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3240	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe
3240	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 1388	3240	AcroRd32.exe	89
PID 3240 wrote to memory of 1388	3240	AcroRd32.exe	89
PID 3240 wrote to memory of 1388	3240	AcroRd32.exe	89
PID 1388 wrote to memory of 5624	1388	AdobeCollabSync.exe	90
PID 1388 wrote to memory of 5624	1388	AdobeCollabSync.exe	90
PID 1388 wrote to memory of 5624	1388	AdobeCollabSync.exe	90
PID 5624 wrote to memory of 3528	5624	AdobeCollabSync.exe	95
PID 5624 wrote to memory of 3528	5624	AdobeCollabSync.exe	95
PID 5624 wrote to memory of 3528	5624	AdobeCollabSync.exe	95
PID 3240 wrote to memory of 2096	3240	AcroRd32.exe	99
PID 3240 wrote to memory of 2096	3240	AcroRd32.exe	99
PID 3240 wrote to memory of 2096	3240	AcroRd32.exe	99
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 208	2096	RdrCEF.exe	100
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101
PID 2096 wrote to memory of 5184	2096	RdrCEF.exe	101

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Info Enviada DIAN Acta de Visita 08112023\2.EXISTENCIA REPRESENTACIN LEGAL.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=1388
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:3528
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A1BFBC5A95946AC5EC2E7DCE1C305FE6 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4C0C9237FE803BEB8F1B6847E94B257D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4C0C9237FE803BEB8F1B6847E94B257D --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5184
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=77D7E45A7B62849A5B5EFC9750AB5C22 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F50658F724C54919BFF018D68034FE3D --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=ECCE51BB4DD307BBC0DCCABCFC469999 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=ECCE51BB4DD307BBC0DCCABCFC469999 --renderer-client-id=6 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=60E713A63EB2B6D86D692DD73AA163C7 --mojo-platform-channel-handle=2516 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
91da9736935195e121c3f80c610fadcf

SHA1
46a347e687e74ddad9bf80746f810c5ed344c194

SHA256
271e0810017133f68be11bf77868fb3cd0f50a9dcc0a375651e5cee9687b05b0

SHA512
070ce2c7fb570326146b7875088330559c7a09cc98bf8b42681350961cd6c56670273812712ac2a8afdc1cb2257ae4bb2be403b0d1c8066473a71fd8821db3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
40a7721f587c46e25baef406d2296889

SHA1
63932433ad0c54ce5c8f340f43acbff07a8012f4

SHA256
2aff2df1b668c0d2ea183999c72eb22b1dbcde461aafc78d6cef784be514fa51

SHA512
d4a3869ded23242a60bffdebd686fa7961d6dc7c54d3b63d1d96b1576db29f27ef0b31288eaf5d871f7a38fb134a796261c9863c7c343e18a14626497d0f36fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
44de42364e76e2a137c285293beff5dd

SHA1
90498b10ebaa48a56d4d9b28399289ee4245011b

SHA256
3a3e54f3b2a081f629f2271d62680315b29bf105c44ef78e581946342075e096

SHA512
ec539d917c369362cf879624590493d0c811609b7b79d3d4c7eb9d8acc5ed5e10bd26707bd1e178a2f85aad6ee7b4d437136d147c7342069a8221361b5377efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.8MB

MD5
4d9219b464dca7164080b6ed9c4472e3

SHA1
ef4c464302e241a68cac9c979bb96381f0569eb9

SHA256
e5f8dc9a8a2068bb5d5ad2063bb74a30dffba9ef95b1e0655c9bde6f6588f97a

SHA512
5dba10636e49ee3a41468a8d014a5f6f483918c6962bf109910333f5a32cff9a30796a27aa55a053847bc650e5fd41373b23befb1c2ce1359a1b43099ceb6a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
8edcc33d314418defb29b966f6501069

SHA1
aa3a3c24ccfd42eb4e0287e26f9f48d4bc40b636

SHA256
be3e92ecd51204a761d5ce5a8e342cd839ac03928fd556024ac132332aedc659

SHA512
81aef0a11c353e2a669e89b7bf014e529187bf43284793b1357f51ccaf6ef71ea856afa6826c593219436849a63c6fb198e05bd7b678c624cf90b72365018fae

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
507bc8b49e059b5d9b6aeefe0a62bf24

SHA1
1639c6e830d7f441949ebf106e7e1a32323e76e6

SHA256
47950c9ea4bd5947fa4a1865b5e8357e998c2d6c8cfd02915fe51123b4892fed

SHA512
95590183fe295b24e1d1bb2ed708949d8e1ded7ca2a606b588fe23e08563fa48e53a4497d40cc0a0364563e02542e8f346bea06fa135c94017df9dd76d0ae208

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.7MB

MD5
d6d27b484e36fcdae2b5fa52d1eeb920

SHA1
885ada7df7ac5d3867f92b0336c9d7f563c2fe15

SHA256
771f9b2ffeda234df63a4da46b9215f387df8013b034e42bc2d9ecd306003485

SHA512
b8ab4b4cb3d0676a9e303c8c31de44b7e2873da91e315366eba7dd387713ba49b2134a155b276429e3a46afe2ccb9fd330970e3e8d0d7e271cafd3586d8b6608

Download Submit