Analysis Details
| Category | Package | Started | Completed | Duration | Logs | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | 2026-06-29 10:08:46 | 2026-06-29 10:09:28 | 42s |
|
||||||
| Reports | JSON | |||||||||
Analysis Log
2026-06-28 14:55:57,955 [root] INFO: Date set to: 20260629T10:08:52, timeout set to: 225 2026-06-29 10:08:52,203 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0 2026-06-29 10:08:52,204 [root] DEBUG: Storing results at: C:\cUJPOo 2026-06-29 10:08:52,206 [root] DEBUG: Pipe server name: \\.\PIPE\pcWTWbc 2026-06-29 10:08:52,207 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314 2026-06-29 10:08:52,207 [root] INFO: analysis running as an admin 2026-06-29 10:08:52,207 [root] INFO: analysis package specified: "pdf" 2026-06-29 10:08:52,208 [root] DEBUG: importing analysis package module: "modules.packages.pdf"... 2026-06-29 10:08:52,289 [root] DEBUG: imported analysis package "pdf" 2026-06-29 10:08:52,290 [root] DEBUG: initializing analysis package "pdf"... 2026-06-29 10:08:52,290 [lib.common.common] INFO: no wrapping 2026-06-29 10:08:52,322 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation 2026-06-29 10:08:52,324 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\TD DDF.pdf 2026-06-29 10:08:52,324 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a dll option 2026-06-29 10:08:52,325 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a dll_64 option 2026-06-29 10:08:52,325 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a loader option 2026-06-29 10:08:52,326 [root] INFO: Analyzer: Package modules.packages.pdf does not specify a loader_64 option 2026-06-28 14:56:02,193 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2026-06-28 14:56:02,361 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2026-06-28 14:56:02,393 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2026-06-28 14:56:02,483 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2026-06-28 14:56:02,496 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2026-06-28 14:56:02,497 [lib.api.screenshot] ERROR: No module named 'PIL' 2026-06-28 14:56:02,499 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2026-06-28 14:56:02,505 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2026-06-28 14:56:02,506 [root] DEBUG: Initialized auxiliary module "Browser" 2026-06-28 14:56:02,506 [root] DEBUG: attempting to configure 'Browser' from data 2026-06-28 14:56:02,507 [root] DEBUG: module Browser does not support data configuration, ignoring 2026-06-28 14:56:02,508 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2026-06-28 14:56:02,515 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2026-06-28 14:56:02,515 [root] DEBUG: Initialized auxiliary module "DigiSig" 2026-06-28 14:56:02,515 [root] DEBUG: attempting to configure 'DigiSig' from data 2026-06-28 14:56:02,516 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2026-06-28 14:56:02,516 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2026-06-28 14:56:02,517 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2026-06-28 14:56:03,146 [modules.auxiliary.digisig] DEBUG: File has an invalid signature 2026-06-28 14:56:03,147 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2026-06-28 14:56:03,157 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2026-06-28 14:56:03,158 [root] DEBUG: Initialized auxiliary module "Disguise" 2026-06-28 14:56:03,158 [root] DEBUG: attempting to configure 'Disguise' from data 2026-06-28 14:56:03,158 [root] DEBUG: module Disguise does not support data configuration, ignoring 2026-06-28 14:56:03,158 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2026-06-28 14:56:03,164 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3596) 2026-06-28 14:56:03,170 [modules.auxiliary.disguise] INFO: Disguising GUID to 842c770e-8d4c-479e-81ce-001439b61ed1 2026-06-28 14:56:03,170 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2026-06-28 14:56:03,171 [root] DEBUG: Initialized auxiliary module "Human" 2026-06-28 14:56:03,171 [root] DEBUG: attempting to configure 'Human' from data 2026-06-28 14:56:03,172 [root] DEBUG: module Human does not support data configuration, ignoring 2026-06-28 14:56:03,172 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2026-06-28 14:56:03,173 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2026-06-28 14:56:03,174 [root] DEBUG: Initialized auxiliary module "Screenshots" 2026-06-28 14:56:03,174 [root] DEBUG: attempting to configure 'Screenshots' from data 2026-06-28 14:56:03,175 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2026-06-28 14:56:03,175 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2026-06-28 14:56:03,180 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2026-06-28 14:56:03,181 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2026-06-28 14:56:03,185 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2026-06-28 14:56:03,185 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2026-06-28 14:56:03,186 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2026-06-28 14:56:03,186 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2026-06-28 14:56:03,189 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process 2026-06-28 14:56:03,189 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2026-06-28 14:56:09,077 [root] INFO: Restarting WMI Service 2026-06-28 14:56:11,332 [root] DEBUG: package modules.packages.pdf does not support configure, ignoring 2026-06-28 14:56:11,334 [root] WARNING: configuration error for package modules.packages.pdf: error importing data.packages.pdf: No module named 'data.packages' 2026-06-28 14:56:11,337 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation 2026-06-28 14:56:11,341 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe" with arguments ""C:\Users\Rajesh\AppData\Local\Temp\TD DDF.pdf"" with pid 3412 2026-06-28 14:56:11,342 [lib.api.process] INFO: Monitor config for process 3412: C:\7d7wfxi0\dll\3412.ini 2026-06-28 14:56:11,348 [lib.api.process] INFO: Option 'pdf' with value '1' sent to monitor 2026-06-28 14:56:12,861 [lib.api.process] INFO: 32-bit DLL to inject is C:\7d7wfxi0\dll\hJaFnIOU.dll, loader C:\7d7wfxi0\bin\wdHkqEG.exe 2026-06-28 14:56:12,900 [root] DEBUG: Loader: Injecting process 3412 (thread 3636) with C:\7d7wfxi0\dll\hJaFnIOU.dll. 2026-06-28 14:56:12,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-06-28 14:56:12,906 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\hJaFnIOU.dll. 2026-06-28 14:56:12,911 [lib.api.process] INFO: Injected into 32-bit <Process 3412 AcroRd32.exe> 2026-06-28 14:56:14,949 [lib.api.process] INFO: Successfully resumed process with pid 3412 2026-06-28 14:56:14,967 [root] DEBUG: 3412: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'. 2026-06-28 14:56:14,970 [root] DEBUG: 3412: Disabling sleep skipping. 2026-06-28 14:56:14,972 [root] DEBUG: 3412: PDF (Adobe) settings enabled. 2026-06-28 14:56:14,973 [root] DEBUG: 3412: Dropped file limit defaulting to 100. 2026-06-28 14:56:15,007 [root] DEBUG: 3412: YaraInit: Compiled 44 rule files 2026-06-28 14:56:15,011 [root] DEBUG: 3412: YaraInit: Compiled rules saved to file C:\7d7wfxi0\data\yara\capemon.yac 2026-06-28 14:56:15,013 [root] DEBUG: 3412: YaraScan: Scanning 0x00E20000, size 0x14c906 2026-06-28 14:56:15,030 [root] DEBUG: 3412: Monitor initialised: 32-bit capemon loaded in process 3412 at 0x73a70000, thread 3636, image base 0xe20000, stack from 0x4f2000-0x500000 2026-06-28 14:56:15,032 [root] DEBUG: 3412: Commandline: "C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe" "C:\Users\Rajesh\AppData\Local\Temp\TD DDF.pdf" 2026-06-28 14:56:15,101 [root] DEBUG: 3412: hook_api: LdrpCallInitRoutine export address 0x76F72980 obtained via GetFunctionAddress 2026-06-28 14:56:15,143 [root] DEBUG: 3412: hook_api: Trampoline creation failed for GetCommandLineA, retrying with HOOK_SAFEST 2026-06-28 14:56:15,145 [root] DEBUG: 3412: hook_api: Trampoline creation failed for GetCommandLineW, retrying with HOOK_SAFEST 2026-06-28 14:56:15,165 [root] DEBUG: 3412: Hooked 635 out of 635 functions 2026-06-28 14:56:15,185 [root] DEBUG: 3412: Syscall hook installed, syscall logging level 1 2026-06-28 14:56:15,206 [root] DEBUG: 3412: RestoreHeaders: Restored original import table. 2026-06-28 14:56:15,208 [root] INFO: Loaded monitor into process with pid 3412 2026-06-28 14:56:15,212 [root] DEBUG: 3412: caller_dispatch: Added region at 0x00E20000 to tracked regions list (kernel32::HeapCreate returns to 0x00E21324, thread 3636). 2026-06-28 14:56:15,214 [root] DEBUG: 3412: YaraScan: Scanning 0x00E20000, size 0x14c906 2026-06-28 14:56:15,230 [root] DEBUG: 3412: ProcessImageBase: Main module image at 0x00E20000 unmodified (entropy change 0.000000e+00) 2026-06-28 14:56:15,238 [root] DEBUG: 3412: DLL loaded at 0x73A30000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes). 2026-06-28 14:56:15,246 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x74CF9000 to tracked regions. 2026-06-28 14:56:15,247 [root] DEBUG: 3412: DLL loaded at 0x74CF0000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2026-06-28 14:56:15,249 [root] DEBUG: 3412: DLL loaded at 0x769D0000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2026-06-28 14:56:15,301 [root] DEBUG: 3412: DLL loaded at 0x73A20000: C:\Windows\SYSTEM32\KBDUS (0x6000 bytes). 2026-06-28 14:56:15,317 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x746CD000 to tracked regions. 2026-06-28 14:56:15,318 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x74CF0000. 2026-06-28 14:56:15,319 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x74CF0000: 4.536475e+00 (from 4.536486e+00) 2026-06-28 14:56:15,323 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x74CF0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel.appcore.dll is in known range, skipping 2026-06-28 14:56:15,325 [root] DEBUG: 3412: DLL loaded at 0x746B0000: C:\Windows\SYSTEM32\Wldp (0x24000 bytes). 2026-06-28 14:56:15,326 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x74C7B000 to tracked regions. 2026-06-28 14:56:15,424 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x746B0000. 2026-06-28 14:56:15,425 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x746B0000: 5.876921e+00 (from 5.876942e+00) 2026-06-28 14:56:15,426 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x746B0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\wldp.dll is in known range, skipping 2026-06-28 14:56:15,428 [root] DEBUG: 3412: DLL loaded at 0x746E0000: C:\Windows\SYSTEM32\windows.storage (0x608000 bytes). 2026-06-28 14:56:15,583 [root] DEBUG: 3412: DLL loaded at 0x73A10000: C:\Windows\SYSTEM32\profapi (0x18000 bytes). 2026-06-28 14:56:15,745 [root] DEBUG: 3412: DLL loaded at 0x73800000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\Comctl32 (0x210000 bytes). 2026-06-28 14:56:15,754 [root] DEBUG: 3412: InstrumentationCallback: Added region at 0x751524AC (base 0x75130000) to tracked regions list (thread 3636). 2026-06-28 14:56:15,755 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x75130000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping 2026-06-28 14:56:15,761 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x769A3000 to tracked regions. 2026-06-28 14:56:15,775 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x746E0000. 2026-06-28 14:56:15,781 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x746E0000: 6.748780e+00 (from 6.747990e+00) 2026-06-28 14:56:15,782 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x746E0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\windows.storage.dll is in known range, skipping 2026-06-28 14:56:15,783 [root] DEBUG: 3412: DLL loaded at 0x768E0000: C:\Windows\System32\MSCTF (0xd3000 bytes). 2026-06-28 14:56:15,822 [root] DEBUG: 3412: DLL loaded at 0x73760000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes). 2026-06-28 14:56:15,861 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x733E6000 to tracked regions. 2026-06-28 14:56:15,877 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x768E0000. 2026-06-28 14:56:15,879 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x768E0000: 6.698540e+00 (from 6.696684e+00) 2026-06-28 14:56:15,880 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x768E0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\msctf.dll is in known range, skipping 2026-06-28 14:56:15,882 [root] DEBUG: 3412: DLL loaded at 0x73380000: C:\Windows\System32\CoreMessaging (0x9b000 bytes). 2026-06-28 14:56:15,884 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x73360000 to tracked regions. 2026-06-28 14:56:15,896 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x73380000. 2026-06-28 14:56:15,897 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x73380000: 6.428922e+00 (from 6.428927e+00) 2026-06-28 14:56:15,898 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x73380000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\CoreMessaging.dll is in known range, skipping 2026-06-28 14:56:15,899 [root] DEBUG: 3412: DLL loaded at 0x732A0000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes). 2026-06-28 14:56:15,902 [root] DEBUG: 3412: ProtectionHandler: Adding region at 0x7358D000 to tracked regions. 2026-06-28 14:56:15,975 [root] DEBUG: 3412: ProtectionHandler: Processing previous tracked region at: 0x732A0000. 2026-06-28 14:56:15,978 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x732A0000: 6.564400e+00 (from 6.564401e+00) 2026-06-28 14:56:15,979 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x732A0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\WinTypes.dll is in known range, skipping 2026-06-28 14:56:15,980 [root] DEBUG: 3412: DLL loaded at 0x73420000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes). 2026-06-28 14:56:15,983 [root] DEBUG: 3412: DLL loaded at 0x736A0000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes). 2026-06-28 14:56:17,640 [modules.auxiliary.human] INFO: Found button "ok", clicking it 2026-06-29 03:09:16,002 [root] DEBUG: 3412: NtTerminateProcess hook: Attempting to dump process 3412 2026-06-29 03:09:16,004 [root] DEBUG: 3412: DoProcessDump: Skipping process dump as code is identical on disk. 2026-06-29 03:09:16,012 [root] DEBUG: 3412: ProcessTrackedRegion: Updated entropy for tracked region at 0x73420000: 6.290003e+00 (from 6.289482e+00) 2026-06-29 03:09:16,016 [root] DEBUG: 3412: ProcessTrackedRegion: Region at 0x73420000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\CoreUIComponents.dll is in known range, skipping 2026-06-29 03:09:16,026 [root] INFO: Process with pid 3412 has terminated 2026-06-29 03:09:21,408 [root] INFO: Process list is empty, terminating analysis 2026-06-29 03:09:22,430 [root] INFO: Created shutdown mutex 2026-06-29 03:09:23,439 [root] INFO: Shutting down package 2026-06-29 03:09:23,440 [root] INFO: Stopping auxiliary modules 2026-06-29 03:09:23,442 [root] INFO: Stopping auxiliary module: Browser 2026-06-29 03:09:23,442 [root] INFO: Stopping auxiliary module: Human 2026-06-29 03:09:26,846 [root] INFO: Stopping auxiliary module: Screenshots 2026-06-29 03:09:26,848 [root] INFO: Finishing auxiliary modules 2026-06-29 03:09:26,848 [root] INFO: Shutting down pipe server and dumping dropped files 2026-06-29 03:09:26,848 [root] WARNING: Folder at path "C:\cUJPOo\debugger" does not exist, skipping 2026-06-29 03:09:26,848 [root] WARNING: Folder at path "C:\cUJPOo\tlsdump" does not exist, skipping 2026-06-29 03:09:26,849 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10 | win10 | KVM | 2026-06-29 10:08:46 | 2026-06-29 10:09:27 | internet |
File Details
| File Name |
TD DDF.pdf
|
|---|---|
| File Type | PDF document, version 1.5, 7 page(s) (zip deflate encoded) |
| File Size | 166416 bytes |
| MD5 | f1e834ec4750fc3116987bb0681223bd |
| SHA1 | 95b69c0475cffe58e8b41445e36de30b2e85d94f |
| SHA256 | 1abdbd9f3447644fa5bd670b3d5c7bd72a1c88f9790da429c0edeab1d93cf8b9 VT MWDB Bazaar |
| SHA3-384 | 37b7c4aaedf4229e6b3ac1632e0ad9b1813bb091a9b1334f81ff34b928f546053e8809d2ccb9b52d9aabdb51cc3d2c36 |
| CRC32 | 0E2B6928 |
| TLSH | T1EDF3F12D4A9DBDDFF32187C00A2B7D49356E3076F9C42349162EC75681B4A7E442798B |
| Ssdeep | 3072:8n0gY4zbPYBXAA9wooSPeLjYPojd60UwqfEMHDEUL+j:80gY4wz9wooSCYIAWAEMHDEn |
| Yara |
|
Strings
0000000075 65535 f
20 0 obj
.p5$CW
P%2.'2
7 0 obj
x<Oa8m
<9GeM
t&t64b
YqNlKl
Ph4t:t6t.t!t
56GE-
FUn[f
"6\B_/
17 0 obj
0000000209 65535 f
$%)IIJR
b:7o`|{vf
2fZ;fZ
0000000030 65535 f
4^h#o
>TY.Qo*
M:tKSmT
d6r;V
+%3-A
Yuu7.
r3of-
Tt:|4zK
'&4yR
0000000105 65535 f
99*4&
X9o1N$
0000000123 65535 f
0000000065 65535 f
4 0 obj
0000000071 65535 f
0000000057 65535 f
Microsoft
l-\Y.
0000000027 65535 f
}2]MG
\D0+"`
Op-Fh
0000000077 65535 f
0000000137 65535 f
0000000048 65535 f
e#{F.W.l
0000000079 65535 f
hWKKM+S3
Kc0Q^
0000000097 65535 f
ezYD:
N/bQz
K/Id} ]
=->!-
jM<?{#
>b;ly
\=-WW
0000000217 65535 f
l~jN1
0000001622 00000 n
x.z.%\s&M
I,I,O
xA-!;;
UN@/F
CMn;&E
CvH8D
;O3^m
0000000062 65535 f
228 0 obj
?hPV{
;"Vc}>
^=(}{
0000000196 65535 f
0000000146 65535 f
5hxr$fG
vt`#:
WC}oR.
i5:iO
yI1kK
1<%<-<#<3<+|c
0000000100 65535 f
5 0 obj
Vy5TW-
0000000017 00000 n
<</Type/FontDescriptor/FontName/ABCDEE+Calibri/Flags 32/ItalicAngle 0/Ascent 750/Descent -250/CapHeight 750/AvgWidth 521/MaxWidth 2955/FontWeight 400/XHeight 250/StemV 52/FontBBox[ -503 -250 2452 750] /FontFile2 228 0 R>>
0000000035 65535 f
cDJDZDFDfDV
KmX\/z
SDvJF
\"2DB.
x5"r^
H]?^1
0000000076 65535 f
$BRA"$)
htUtAt5~
0000000156 65535 f
0000000162 65535 f
5O5+Z
MI~Y~
<</Filter/FlateDecode/Length 576>>
0000000164 65535 f
6) /CreationDate(D:20260628171817-07'00') /ModDate(D:20260628171817-07'00') /Producer(
B.-G>s
"5|k|
Jg~9_
6*|jl\
0000000220 65535 f
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>
>ynKWF8F
%%EOF
s(duy
]A;skA
0000000070 65535 f
mihgC
/STO(
d9l-[
9Z{;xW
`.iEH9
_C7Gb
0000000173 65535 f
U99sBn
FrtSwL&[
kp"=j
0000000486 00000 n
0000000111 65535 f
FZ[QX
0000000129 65535 f
^}yd=F
h-ZCI
h[:iF
;m\fD
<</Filter/FlateDecode/Length 609>>
s0Ox(f
0NxC
|y>)y
}*Yg6
_fo>-
0000000080 65535 f
.3uLT
0000000058 65535 f
0000000098 65535 f
&&\1=
tc|7ielL;^
+Xn6{
0000000143 65535 f
0000003540 00000 n
*T-TK
|s(2C
mlhcC
%PDF-1.5
Dq3/Jk
$oF9]
o4XD',
0000000051 65535 f
%kQYy
iaK<-T
0000000102 65535 f
0000000134 65535 f
IHNBf
0000000031 65535 f
Ep.bt[
0000003806 00000 n
g)#)f$
y>Q?/
).^UJe
g[~\~
m|_,i&2-[
0!\U419
gLa5~
2@[?@
0000000081 65535 f
wh0\z
R>nJ_
w8|&.j
*`,VW
v$84<
vDv6j
`^(2w
0000000210 65535 f
[ 226 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 507 0 0 0 0 0 0 268 0 0 0 0 0 0 579 0 0 0 0 0 0 0 252 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 479 0 423 525 498 305 0 0 230 0 455 230 799 525 527 0 0 349 391 335 0 452]
8~=Pr}
0000000095 65535 f
trailer
<</Filter/FlateDecode/Length 472>>
=mOHh'
0000000024 65535 f
X&vKo,
C5AeH
0000000165 65535 f
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 16 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 4>>
gd~(Rl
0000000125 00000 n
K9{KD
@%%D{/
R,L<(
0000000050 65535 f
<^Z!2
[TstS
0000000144 65535 f
oNlZl
B]!~SW
>+4]<
*i!A-
9Rh81G
z3X[k
UVf&S
}h~o;
aVr~x=
0000000155 65535 f
NUWW}u
V:Q|k
1Ag0{
0000000142 65535 f
0000000000 65535 f
G1>)c
m|y|9
vz"g7
0000000121 65535 f
!c1d,
Lg&jNc
22!L&
WG2BiH
0000005415 00000 n
zU"n{
QZ1"c
y5%yJi
ey8a_
0000000215 65535 f
J;caSZm@O
Kf_Kf
0000000218 65535 f
0000000033 65535 f
<</Size 230/Root 1 0 R/Info 21 0 R/ID[<DF5F45F1BE584A46AE8A64DE563A01F8><DF5F45F1BE584A46AE8A64DE563A01F8>] >>
<</Type/ExtGState/BM/Normal/ca 1>>
J\cmZ
X?Zyv
>#BriI[
6) >>
3*YJ5
a2"LF
0000000168 65535 f
82_ZHy
_"sMY`
((:yz\d4
fvN2+
0000000206 65535 f
0000000022 65535 f
aY-[7
R9Z^
0000000042 65535 f
18 0 obj
:~YOc-i
PN"7xM
'h>\N
<mSHS^
q,cz~
0000000184 65535 f
hu{uguOu
0000000186 65535 f
ykO`C
u3_7a
;-H5(
ia2-L
ZZ],L
]"[#i
`$2uQC[q
[MRS9
0000000170 65535 f
~&!9V
-c7Zn
O|Y|W
yAo02
k%TA5
%VtUd
QJdcd
d&%d&
t<LMaj
0000000193 65535 f
j>*6[
9I|z'L
*BcBcC
BG8S}
yG<D<
J ($@A
0000000135 65535 f
0000000038 65535 f
0000000201 65535 f
0000000040 65535 f
4I8]8K
/xg6p,P
Z{EFS
fs]1;
JFLJ(
(H)R:
7ImRG
0000000181 65535 f
cYu1^
74;4'L
y=#j|
&Uwv]vd{wYwN
lF7P37
0000000107 65535 f
0000000154 65535 f
,t@GtBgtAWtCw
0000000037 65535 f
q8>|'y
2 0 obj
6tc;z
IrRi\^
wr(eN
0000004465 00000 n
0000000180 65535 f
<</Type/ExtGState/BM/Normal/CA 1>>
%Ke4T"
0000000159 65535 f
'q2q&q
c$5L6
KIFWW
62~*[k
}R}Dc
k,o+m%
k9tp\
f|E$0
v*b,B
+OCZXT
`4X-k
2UM2U
l~oqD
0000000130 65535 f
0000000140 65535 f
0000000183 65535 f
j2";`
SQJE)
t:3c#t
0000000063 65535 f
l,[#E
%3%3p
Kz}<r
:e?Ry
0000000203 65535 f
bsW(N
0000000132 65535 f
0000000113 65535 f
0000000045 65535 f
6zKz+
0000000092 65535 f
0000000082 65535 f
$o2!1
|TBeTAUTCu
Bcjd4(5
0000000163 65535 f
0000000068 65535 f
Q6)o(
+FV(FV*F
229 0 obj
/`F[YQR;f
^5JuW
0000000157 65535 f
S#dL,
0000000117 65535 f
L;gffST
iq4}=FbT
oU]MM
iZMaa
Q`N<!
0000000087 65535 f
0000000108 65535 f
!,{~9b
0000000023 65535 f
D3(!Z
7c<&`"~
YwN:>
0000000127 65535 f
2c@.3
c/o4n
+ocVde
5Vwxj
&rQ9'Q:Q
v#3&S
-GS39F
I?,O)
HQZ5\
0000000190 65535 f
0000000219 65535 f
6 0 obj
endstream
t]oj/
r.<AV
=g%H.v
]_->7
rzdefx
<cB9&7xM
'U0N.E
0jyD>
166233
f1;/f
0000000194 65535 f
uE]VF
1v.Et
b,VHf
itF7bm
0000000136 65535 f
7@3IOB
KrY]N
Oq/KN
\v2T,
0000000195 65535 f
0*8I7
(#2BBj
7-'m`
tIDjhQ
]AkY[v
"/ywr
keopO
DAAT$
FOD'z[
14 0 obj
0000000225 65535 f
~eUcUKU+
<xz4MD
6Z?2_U
9S3Ys
{xhWi
%rArB
/;R%2
eehW
0000160818 00000 n
0000000199 65535 f
eNp,E
,\{.Y
tuq\\
B-YAz
@rAt,
H^M_3
0000000116 65535 f
L1sL2
/bE,D
B/\D/
^K{"=
p4?9>I5
-`X)6
_g=yc
&X(=TAD
|cLSoN&
]F4_h
aI[LK
3pA:%
s}NZa
0000000222 00000 n
0000000069 65535 f
t6;o9o;
8 0 obj
F&LJX
TGCM1
419|JlZ
0000000131 65535 f
Z?j+Za
0000001329 00000 n
,/3Qr
wt;"~!
7+nQ|Jq;
uHkiH
F6]k9J
28 0 obj
0000000171 65535 f
|m5_[
0000000114 65535 f
g$q0=
6#Mwu
b<<&&
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 10 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 1>>
Hc7+"
LQ8ST
0000000175 65535 f
AO%Jp
0000000106 65535 f
<</Size 230/Root 1 0 R/Info 21 0 R/ID[<DF5F45F1BE584A46AE8A64DE563A01F8><DF5F45F1BE584A46AE8A64DE563A01F8>] /Prev 161473/XRefStm 160818>>
MTYmV[
~@S`9
mFWot
0000000066 65535 f
=VTJw
mzY?|
lk9p&\{W
0000000122 65535 f
SKSMx
-|f\iN4
0000000089 65535 f
5|&.3
Z+Ckeh
MfK`N
r2L9F9
p[2Of
@E-pX
\i[9j
Tuos*
gNw32
0000000115 65535 f
0000000118 65535 f
eX2x%A
]{^nUX`
YY4Kg
oGGGG
|5_Mi|
16 0 obj
{81>Q
w )E{'\
C^~#3
KGJ}1
0000000101 65535 f
w]B>A
0000000208 65535 f
u/+5*
<</Author(Windows User) /Creator(
8X6D?
atm)[S
,6{feI%
xN</~,^
,^K34
v_IM7]
3K#[9#e
k?n%6^]<
,.!<9-r
fz>;3:
b;i|P
+PD3Z
.>W^j.
*RYY1@
..&.2<%
$f%vH
-1jQb
c_=~D
0000000061 65535 f
{+Dt^
=6S1j
V!nB
nL%y+
t]wI=%u
*Q]U7
^b/A|
EGxPt
0000000036 65535 f
0000000158 65535 f
0000000086 65535 f
)}MRl
0000006332 00000 n
161473
s%"X)qV
IQz4S
kIIJR
jrq^=
-hE%c
$190Xb
U@_5Z
Pj*ut
R)I:H
kgD%V
8I:^(/
YqJ4d
0000000147 65535 f
(599Y
0000000172 65535 f
0000000039 65535 f
w}YD4
\h~c.2
xYDGC
Q,7`3
]y3PE]
^TF>
0000000120 65535 f
oXE^_E
3&gMFL.
m96wl
R|5B/
0000000047 65535 f
<</Filter/FlateDecode/Length 150792/Length1 354364>>
0000000052 65535 f
T0]0K
<Yy2E
]\wgT
PByeH
H?dH?dJ?dI?$
lv~ji
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 18 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 5>>
0000000096 65535 f
yfY"B%M
1loXvXN
,YEVCy
oQmU;
g&So!
,u*+5
^GO_9
227 0 obj
0000000207 65535 f
v:+J{
J2%6'_HlA
4S_SM
,\yS\y+\y
J12O1
pWx(|NK
0000000103 65535 f
0000000176 65535 f
!2XHd
[~Ie~I5
9\8UW
0000006598 00000 n
*kjZS
M!u~kV
"*~*Qc0
0000000133 65535 f
if'_N
834g>
r9Y.'
<</Filter/FlateDecode/Length 600>>
pg\a/
Cu<I^
BUJoJcv
?]-KO
,? *ma
<</Filter/FlateDecode/Length 584>>
~b+}<%3;
Fj+t=
5WZJv
UPZPjF
cM\C|xv
0000000205 65535 f
mm/n-
}7}w|
tE>,v5
0000000141 65535 f
0000000054 65535 f
!1jBb
/P1"H
IR/e-(8
kOKF=
bqV!e
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 14 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 3>>
0000000043 65535 f
/n4^?
0000000182 65535 f
LcSN7
R}`@A
0000000072 65535 f
* Y,&s
2^#j]
0000000124 65535 f
cnll}
/mF2j$c
`k`{`
{Qdv^+g
p7jLC7]@Q
jS`N:
0000000053 65535 f
`&R/{
0000000222 65535 f
3n'5RS
*\nH?
ry/{g{
EyNy^y!X
bAW0$
TQGj|<
0000000026 65535 f
0000000139 65535 f
|dxbxfX
FQd>cn
blm)[S
on^_bn^_
KC}rdt
(h6pP
U1rP1rH1rX1rD1rT1
+>cpc
yz&}o
0000000028 65535 f
0000000160 65535 f
stream
j)fKQ%E
<</Filter/FlateDecode/Length 586>>
<</Type/XRef/Size 229/W[ 1 4 2] /Root 1 0 R/Info 21 0 R/ID[<DF5F45F1BE584A46AE8A64DE563A01F8><DF5F45F1BE584A46AE8A64DE563A01F8>] /Filter/FlateDecode/Length 452>>
0000009932 00000 n
%<zqO{E=zU7__
kz8=-==]
<;"?)B
AzkR}
#3>T8
"$+At
O$.H\
0000000153 65535 f
6KX=U
Vt=Po
V-rq5
uc,;T
OwQbpw
R5(FX
19 0 obj
+@~=l
DTF4&
o59dp
0000000161 65535 f
P.!S~
<</Type/ObjStm/N 204/First 1748/Filter/FlateDecode/Length 2218>>
c[:~Rg
~dbdG
Jbk2Ob
$9+Nwf
(W^zf?
;yX~/
#O*>Z'
0000000025 65535 f
<</Filter/FlateDecode/Length 598>>
7+^s~a
MTETIt2
6Z5:3
*SeQ}H95
0000000200 65535 f
Y{J^-=
0000000152 65535 f
MHFh}
Zbmjn
0000000213 65535 f
0000000110 65535 f
MfD87Nk
P5OZ+
0000000034 65535 f
=m0u:
0000000221 65535 f
J$J g<Q
12 0 obj
Obnnd
-uy*}
sn%ZT
k|HP?
gnps3
D1E<.
0000000204 65535 f
:2^gr
6_Jcg]
0000000049 65535 f
=eus
1,FDD6
6tc;v
0000000104 65535 f
13 0 obj
Bx4pP8
RIeWR
T7T.T
g7Rhv
wr`z#+e/
0000000145 65535 f
n4%F[
LF7,{
Rj=8yp
0000000178 65535 f
|ws[p
GD[E#
0000000202 65535 f
.9E~,z
qI=.i
-)jvx
0000000085 65535 f
0000000046 65535 f
DutOTW
0000000055 65535 f
0 230
0000000187 65535 f
ogw`o
BcE"4W$
\s"v~
k*4<Aw
startxref
SNL\>1s
)Ff)Ff+F>W
Word 201
G{c\H
i!oB*q
c<@+=Z
IIyIyL
t!Uu!=w!
0000000029 65535 f
p[l46
Y_[Us
VTGae
9f&+>9>
mbOy,
qjv@I
Seh."
@uHWf*(
0000000151 65535 f
0000000091 65535 f
10 0 obj
umDmkcy
0000000067 65535 f
9Eo8y
kS,=k
)m|N2
5f(+2
0000000169 65535 f
~%&Pu
8GV0O
xVV<++
#Q_Z@f
NW1(-
0000009694 00000 n
]iWXJ
cxjfs|
:G^;P
2W\If
hZ4M>
qCY<v
dh\."
"2&262!
.5r<#B
0000004731 00000 n
BWt5~
%O)TJ
]]6vR
T8vFg
11 0 obj
<</Type/Pages/Count 7/Kids[ 3 0 R 9 0 R 11 0 R 13 0 R 15 0 R 17 0 R 19 0 R] >>
0000001160 00000 n
0000000060 65535 f
uoSFx#-
^e-IY
<jp]p
0000000088 65535 f
8xv+M
)Fv(Fv*Fv)[
0000000226 65535 f
vdkmZ
0000000093 65535 f
l]]>L
Yz9K/
0000000166 65535 f
Odu&G
21 0 obj
zSLCTG
0000005681 00000 n
jR1lr1
$%Z6Z
Sd{9@4
0"" Bd
2,pE#
b1by0
g 9Ogr
A%y%y
pNT}o
[X#?`Y
T%9UINU
?t(t$
2m?2!E
0000000044 65535 f
`?(7f
>i^N}
0000000149 65535 f
&ugSbz
gcXLlLRL
/.29ijRL
0000000198 65535 f
0000000119 65535 f
T4Ejs
0000002613 00000 n
0000000138 65535 f
0000000167 65535 f
,v>`Y
xe[eGewe_
0000000177 65535 f
k>?0c
<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/ABCDEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 118/Widths 227 0 R>>
=)PKq
0000000094 65535 f
vu{Q7
0000000179 65535 f
0000001940 00000 n
n:u%Y
Ia;>Q
0000000099 65535 f
#r=V&
0000000188 65535 f
0000000214 65535 f
?|w)|
0000002879 00000 n
Kh5i7
kF{nG
GZ`vp
O`h`|`F`q`]`k`o
Bu/'?
0000000109 65535 f
WkDi)G
9 0 obj
0000000078 65535 f
0000000192 65535 f
0000000197 65535 f
0000000212 65535 f
0000000216 65535 f
15 0 obj
2wr%#W?
VuT]UO
0000000032 65535 f
0000000150 65535 f
YE'^X?
0000000041 65535 f
y2E?_i9
"cYGt
3 0 obj
FPH#(
$*1Wd
0000000189 65535 f
{?U!s
0000000056 65535 f
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 20 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 6>>
Njz{>hV
2$y&"W
1 0 obj
\J?H#
0000000223 65535 f
Od}3|dMd
0000000185 65535 f
0000000059 65535 f
BlOg{
AcmY;
0000000125 65535 f
%E*%\*
y*_n^
0000000064 65535 f
fWf[j<5U3
}fe6F
\N1}X?
aMX{6
0000000083 65535 f
yVS>L
`&YHX
endobj
be/7o
0Jy;T
K<VS9T_
izdxd8
D5A]MUS
8-^K@
?#m3Q
WF'f&c:Z
v^7L]
Y\fQd
g*'+#~
\)3(r
.I_N_v
k}=D<
IAkOG
&-JMM
BLJVq
b^do'v
V*(V0
]G/k0
-h;6E
A/{.[
0000000074 65535 f
cvzK{yn
s3d^m
rz9urF
A:8ZGsG
*>*M*
7lsz'b~W8
VFP+#2
y3P)/
>)-)C
0000001675 00000 n
0000000128 65535 f
((nb"
0000000073 65535 f
+Vzul
0000000174 65535 f
s9>'*L
s1)7)
0000000084 65535 f
nCr'5
0000000148 65535 f
9RD8-
J)9MCK
x^\xy9y9"//
0000000191 65535 f
lm(-jU
}^lDo
0jG_'C
<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 12 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 2>>
Tr5Y@^
hg^+?2
0000000090 65535 f
0000000112 65535 f
0000000126 65535 f
8qJks[
0000000211 65535 f
0000000224 65535 f
RkH@t
LH0h3
@eldE6
1W@+h
| :+99
^goq+
4#?I3
,1`@?
<</Type/Catalog/Pages 2 0 R/Lang(en-US) /StructTreeRoot 22 0 R/MarkInfo<</Marked true>>>>
0000001569 00000 n
qTRz
Y'GH8
"5e]l4
0ox3PE/
E;-5A
r*v:pv
Ed'@Xd
7b]c)
r uQ=+u!l
\%-Um
Ohhh|hFhqh]hkho
R$?iF~
0000007145 00000 n
RO `WImKm
i?fJ,
Processing 1.09s
- 0.94s CAPE
- 0.112s BehaviorAnalysis
- 0.02s NetworkAnalysis
- 0.014s AnalysisInfo
- 0.001s Debug
Signatures 0.11s
- 0.024s antiav_detectreg
- 0.01s infostealer_ftp
- 0.008s territorial_disputes_sigs
- 0.007s antiav_detectfile
- 0.006s infostealer_im
- 0.006s masquerade_process_name
- 0.005s antianalysis_detectreg
- 0.004s antianalysis_detectfile
- 0.004s infostealer_bitcoin
- 0.004s ransomware_files
- 0.003s antivm_vbox_files
- 0.003s antivm_vbox_keys
- 0.003s infostealer_mail
- 0.002s antivm_vmware_keys
- 0.002s ransomware_extensions_known
- 0.001s antidebug_devices
- 0.001s antivm_generic_diskreg
- 0.001s antivm_parallels_keys
- 0.001s antivm_vbox_devices
- 0.001s antivm_vmware_files
- 0.001s antivm_vpc_keys
- 0.001s antivm_xen_keys
- 0.001s ketrican_regkeys
- 0.001s bypass_firewall
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s disables_power_options
- 0.001s folder_enumeration
- 0.001s recon_fingerprint
Reporting 0.01s
- 0.008s JsonDump
Signatures
Network activity detected but not expressed in monitor API logs
ip: 173.194.76.94
ip: 40.126.31.131
ip: 108.177.15.139
ip: 108.177.15.94
ip: 74.125.206.84
ip: 66.102.1.138
ip: 74.125.206.138
ip: 74.125.133.95
ip: 142.251.150.119
ip: 142.251.168.139
ip: 142.251.168.100
ip: 74.125.206.101
ip: 74.125.71.94
ip: 142.251.16.94
Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software
behavioral_fips_reconnaissance: ["AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "AcroRd32.exe (PID: 3412) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'"]
Binary file triggered YARA rule
Binary triggered YARA rule: multiple_versions
Systematically searches multiple user directories using wildcards, common in ransomware/wipers/infostealers
target_folder: C:\Users\Rajesh\AppData\LocalLow\Adobe\Linguistics\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Microsoft\IMJP*\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\9.0\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\11.0\*
target_folder: C:\Users\Rajesh\AppData\Local\Temp\acrord32_sbx\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\LogTransport2\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Headlights\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Microsoft\Outlook\*
target_folder: C:\Users\Rajesh\AppData\LocalLow\Adobe\Acrobat\11.0\*
target_folder: C:\Users\Rajesh\AppData\Local\Adobe\Acrobat\11.0\*
target_folder: C:\Users\Rajesh\AppData\Local\Adobe\Color\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Microsoft\Speech\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Microsoft\IME*\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Flash Player\AssetCache\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\Privileged\11.0\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\8.0\*
target_folder: C:\Users\Rajesh\AppData\LocalLow\Microsoft\IME*\*
target_folder: C:\Users\Rajesh\AppData\Local\Microsoft\IMJP*\*
target_folder: C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache\*
target_folder: C:\Users\Rajesh\AppData\Local\Microsoft\Outlook\*
target_folder: C:\Users\Rajesh\AppData\LocalLow\Microsoft\IMJP*\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\10.0\*
target_folder: C:\Users\Rajesh\AppData\Local\Microsoft\IME*\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Microsoft\Crypto\RSA\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Adobe\Linguistics\*
target_folder: C:\Users\Rajesh\Documents\ArcotIDs\*
target_folder: C:\Users\Rajesh\AppData\Roaming\Arcot\Ids\*
Screenshots
Hosts
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| Y | 173.194.76.94 [VT] | unknown | - |
| Y | 40.126.31.131 [VT] | unknown | - |
| Y | 108.177.15.139 [VT] | unknown | - |
| Y | 108.177.15.94 [VT] | unknown | - |
| Y | 74.125.206.84 [VT] | unknown | - |
| Y | 66.102.1.138 [VT] | unknown | - |
| Y | 74.125.206.138 [VT] | unknown | - |
| Y | 74.125.133.95 [VT] | unknown | - |
| Y | 142.251.150.119 [VT] | unknown | - |
| Y | 142.251.168.139 [VT] | unknown | - |
| Y | 142.251.168.100 [VT] | unknown | - |
| Y | 74.125.206.101 [VT] | unknown | - |
| Y | 74.125.71.94 [VT] | unknown | - |
| Y | 142.251.16.94 [VT] | unknown | - |
Summary
- C:\Windows\System32\ntmarta.dll
- C:\Windows\System32\kernel.appcore.dll
- C:\Windows\System32\bcryptPrimitives.dll
- \Device\CNG
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\plug_ins\Test_Tools\Automation.api
- C:\Users\Rajesh\AppData\Local\Temp\TD DDF.pdf
- C:\Users
- C:\Users\Rajesh
- C:\Users\Rajesh\AppData
- C:\Users\Rajesh\AppData\Local
- C:\Users\Rajesh\AppData\Local\Temp
- C:\
- C:\Users\Rajesh\Desktop\TD DDF.pdf
- C:\Users\Rajesh\Desktop
- C:\Windows\System32\KBDUS.DLL
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\plug_ins\Test_Tools\aaFEAT.api
- C:\Windows\System32\windows.storage.dll
- C:\Windows\System32\wldp.dll
- C:\Program Files (x86)\*
- C:\Program Files (x86)
- C:\Windows\*
- C:\Windows
- C:\Program Files (x86)\Adobe\Reader 11.0\*
- C:\Program Files (x86)\Adobe\Reader 11.0
- C:\Program Files (x86)\Adobe
- C:\Program Files (x86)\Adobe\Reader 11.0\
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\*
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\Privileged\11.0\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\Privileged\11.0
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\Privileged
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat
- C:\Users\Rajesh\AppData\Roaming
- C:\Users\Rajesh\AppData\Roaming\Adobe
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Crypto\RSA\*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Crypto\RSA
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Crypto
- C:\Users\Rajesh\AppData\Roaming\Microsoft
- C:\Users\Rajesh\AppData\Roaming\Arcot\Ids\*
- C:\Users\Rajesh\AppData\Roaming\Arcot\Ids
- C:\Users\Rajesh\AppData\Roaming\Arcot
- C:\Users\Rajesh\AppData\Local\Microsoft\Outlook\*
- C:\Users\Rajesh\AppData\Local\Microsoft\Outlook
- C:\Users\Rajesh\AppData\Local\Microsoft
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Outlook\*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Outlook
- C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache\*
- C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache
- C:\Users\Rajesh\AppData\Local\Microsoft\Windows
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\8.0\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\8.0
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\9.0\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\9.0
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\10.0\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\10.0
- C:\Users\Rajesh\AppData\Local\Temp\acrord32_sbx
- C:\Users\Rajesh\AppData\Local\Temp\acrord32_sbx\*
- C:\Windows\System32
- C:\Users\Rajesh\AppData\LocalLow\Adobe\Acrobat\11.0
- C:\Users\Rajesh\AppData\LocalLow\Adobe\Acrobat\11.0\*
- C:\Users\Rajesh\AppData\LocalLow
- C:\Users\Rajesh\AppData\LocalLow\Adobe
- C:\Users\Rajesh\AppData\LocalLow\Adobe\Acrobat
- C:\Users\Rajesh\AppData\LocalLow\Adobe\Linguistics
- C:\Users\Rajesh\AppData\LocalLow\Adobe\Linguistics\*
- C:\Users\Rajesh\AppData\LocalLow\Microsoft\IMJP*\*
- C:\Users\Rajesh\AppData\LocalLow\Microsoft\IMJP*
- C:\Users\Rajesh\AppData\LocalLow\Microsoft
- C:\Users\Rajesh\AppData\LocalLow\Microsoft\IME*\*
- C:\Users\Rajesh\AppData\LocalLow\Microsoft\IME*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\11.0
- C:\Users\Rajesh\AppData\Roaming\Adobe\Acrobat\11.0\*
- C:\Users\Rajesh\AppData\Local\Adobe\Acrobat\11.0
- C:\Users\Rajesh\AppData\Local\Adobe\Acrobat\11.0\*
- C:\Users\Rajesh\AppData\Local\Adobe
- C:\Users\Rajesh\AppData\Local\Adobe\Acrobat
- C:\Users\Rajesh\AppData\Local\Adobe\Color
- C:\Users\Rajesh\AppData\Local\Adobe\Color\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Linguistics
- C:\Users\Rajesh\AppData\Roaming\Adobe\Linguistics\*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Speech
- C:\Users\Rajesh\AppData\Roaming\Microsoft\Speech\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\LogTransport2
- C:\Users\Rajesh\AppData\Roaming\Adobe\LogTransport2\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Headlights
- C:\Users\Rajesh\AppData\Roaming\Adobe\Headlights\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Flash Player\AssetCache
- C:\Users\Rajesh\AppData\Roaming\Adobe\Flash Player\AssetCache\*
- C:\Users\Rajesh\AppData\Roaming\Adobe\Flash Player
- C:\Users\Rajesh\AppData\Roaming\Microsoft\IME*\*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\IME*
- C:\Users\Rajesh\AppData\Local\Microsoft\IME*\*
- C:\Users\Rajesh\AppData\Local\Microsoft\IME*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\IMJP*\*
- C:\Users\Rajesh\AppData\Roaming\Microsoft\IMJP*
- C:\Users\Rajesh\AppData\Local\Microsoft\IMJP*\*
- C:\Users\Rajesh\AppData\Local\Microsoft\IMJP*
- C:\Users\Rajesh\Documents\ArcotIDs\*
- C:\Users\Rajesh\Documents\ArcotIDs
- C:\Users\Rajesh\Documents
- C:\Users\Rajesh\AppData\Local\Lotus\Notes\Data
- C:\Users\Rajesh\AppData\Roaming\Intuit\Quicken\Log
- C:\Users\Rajesh\AppData\Roaming\Justsystem
- C:\Users\Rajesh\AppData\Roaming\Enfocus Prefs Folder
- C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe.3.Manifest
- C:\Windows\System32\msctf.dll
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\System32\TextShaping.dll
- C:\Windows\System32\textinputframework.dll
- C:\Windows\System32\CoreUIComponents.dll
- C:\Windows\System32\CoreMessaging.dll
- C:\Windows\System32\WinTypes.dll
- C:\Windows\SystemResources\USER32.dll.mun
- HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bProtectedMode
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Privileged
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableAlternateTempDirectory
- bEnableAlternateTempDirectory
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableAlternateLaunchDesktop
- bEnableAlternateLaunchDesktop
- HKEY_LOCAL_MACHINE\Software\Adobe\Adobe Acrobat\11.0\Security
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnforceReadRestrictions
- bEnforceReadRestrictions
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableGlobalAtomRestrictions
- bEnableGlobalAtomRestrictions
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bPreventCreatingExecutables
- bPreventCreatingExecutables
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableBinaryPlantingProtection
- bEnableBinaryPlantingProtection
- HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\11.0\Installer
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Acrobat Reader\11.0\Installer\Path
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\iMaxMRUCnt
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\aFS
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\tDIText
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\sDI
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c2
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bDisableCryptBroker
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Keyboard Layout\Preload
- HKEY_CURRENT_USER\Keyboard Layout\Preload\1
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Layout File
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bUseWhitelistConfigFile
- HKEY_CURRENT_USER\
- HKEY_CLASSES_ROOT\
- HKEY_LOCAL_MACHINE\
- HKEY_USERS\
- HKEY_CURRENT_CONFIG\
- HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0
- HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\11.0
- HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM
- HKEY_CURRENT_USER\Software\Adobe\CommonFiles\Usage\Reader 11
- HKEY_LOCAL_MACHINE\SOFTWARE\Justsystem\ATOK\Setup\Folder
- Atok23
- Atok24
- HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Language\current\
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\Language\current\(Default)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AcroRd32.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
- HKEY_LOCAL_MACHINE\Software\Microsoft\Input
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bProtectedMode
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableAlternateTempDirectory
- bEnableAlternateTempDirectory
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableAlternateLaunchDesktop
- bEnableAlternateLaunchDesktop
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnforceReadRestrictions
- bEnforceReadRestrictions
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableGlobalAtomRestrictions
- bEnableGlobalAtomRestrictions
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bPreventCreatingExecutables
- bPreventCreatingExecutables
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\bEnableBinaryPlantingProtection
- bEnableBinaryPlantingProtection
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Acrobat Reader\11.0\Installer\Path
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\iMaxMRUCnt
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\aFS
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\tDIText
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1\sDI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bDisableCryptBroker
- HKEY_CURRENT_USER\Keyboard Layout\Preload\1
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Layout File
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bUseWhitelistConfigFile
- Atok23
- Atok24
- HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\11.0\Language\current\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
- Global\ARM Update Mutex
- Global\Acro Update Mutex
- {100184D2-BDC3-477a-B8D3-65548B67914C}_3412
- Local\SM0:3412:168:WilStaging_02
- Local\MSCTF.Asm.MutexDefault2
- CicLoadWinStaWinSta0
- Local\MSCTF.CtfMonitorInstMutexDefault2
No results found.
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.