ca9f19258a12aadce2ad27cab501da3ce58492e9b6e6d6df9197b64e158f4e22

General

Target

[CV-3] JNT Connect_EN-KO-EN_Engineering.pdf
Size

346KB
MD5

17a31fd297b5fe2e4e2a2e14a5993771
SHA1

7e8248829f584747c8a50783394bfcff7aff0dcc
SHA256

ca9f19258a12aadce2ad27cab501da3ce58492e9b6e6d6df9197b64e158f4e22
SHA512

8887ed9d3ff84237a0de2e7386d3d734118f13d2a8480af3d1eae58cbda96fc24a973c8325d50f751135eb14f8357eb674cee5e9fe6024da90323ecaa7149909

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AdobeARMHelper.exe

pid process

3148 AdobeARMHelper.exe

pid	process
3148	AdobeARMHelper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exe

pid	process
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
2560	AcroRd32.exe
1872	AdobeARM.exe
1872	AdobeARM.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe
3148	AdobeARMHelper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2560 AcroRd32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
2560 AcroRd32.exe
1872 AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2560 wrote to memory of 5028	2560	AcroRd32.exe	RdrCEF.exe
PID 2560 wrote to memory of 5028	2560	AcroRd32.exe	RdrCEF.exe
PID 2560 wrote to memory of 5028	2560	AcroRd32.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4312	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe
PID 5028 wrote to memory of 4280	5028	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\[CV-3] JNT Connect_EN-KO-EN_Engineering.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2AB2ECF5455DBC6EE921C699D2672E61 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A5B9A9496542A3A4FFEB350A5A98788A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A5B9A9496542A3A4FFEB350A5A98788A --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9770942947922638A7A1BC60D4621C86 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9770942947922638A7A1BC60D4621C86 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1716

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2607696F324290BBA06E21B26D1B9BD4 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=40301E18305297A63622BE8D2FE5DAF9 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A1C6D341AC69C46FAD561614A9EF5ABE --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=742DEDED0D2BBB59E01B147AFD9658C8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=742DEDED0D2BBB59E01B147AFD9658C8 --renderer-client-id=10 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4288

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:3864

C:\ProgramData\Adobe\ARM\S\2125\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\2125\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\2125" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\S\2125\AdobeARM.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\2125\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\2125\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
e5dc224a1cf6d9e0838078c157a27a8a

SHA1
b5f07e48e36462edc6fa351ec1aec1507f8b0a05

SHA256
072266acc395e7999e1635674371bb66d6095ad5dc90f31287304811c69997ca

SHA512
201af73de752bc6b68ce21a499556de39bc3542397544e420227748cb037a642967c91c4b8c570f2246d17c54079b3e6bcf34366d9a894365c14eebe6d030de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
23c564970f42c3ab59344934c71b33d8

SHA1
21d5a9fbb1ad360a84ed0d5e66092fba69a34397

SHA256
b0b273efb6f0c6b4f5cf413e210e3e48e2e222ece21d7e19de6bd7d8c9a3cbf4

SHA512
01d4d836b2df5d568099dd51bb5b3daa2fdf2c71c26ad5a26fae24f82fb8c26f28e90e81a02cc26d6bbcb3ecd77ea90683c9a34d45c768df277872b54a045ef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
44958f765386595d4aa9eae392121602

SHA1
ff409635b2acc606d299ae68e6178cf0752ece19

SHA256
59995effb4f0bd70f220977f0e2d35fc05b21fd57aa57b721902e218f7c67957

SHA512
bf36687f15d064d2d9f0eeac1268c54a14dfcd20d983394050d940b5e287afd4590b370864c1111db345936d4320d9141100454f8bc50b7b4eb2a94dbe9bd4cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
083aa8e7bfa5ad0b19aeaf904b4fc3ab

SHA1
137256af9f5b6ae72b71069463f258e6a2ef865e

SHA256
3b992f87d47753fbf43892a7d10a0c8cd58a24387aee94ec10363640a825a906

SHA512
4554b819b9b2397f8f3a272471a4a8d2b8f6abc11c2133ac1a93b77a6425ddb66506ee25a067210fdbd6793d301f3b6d3b94b7b878f68e546209bbd58142ff0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
81146de46f4e732441604a0166732e6d

SHA1
3d612a70b4bf3842fb6efae07818f0f17df4a7e2

SHA256
7c710c3c2d1107dcd78aebf2525375a9acad2b1ae2c1c158295719e4a454e564

SHA512
54ad39bbf0b51faa11e209734ff78cba886ee0cc5df3c116c052bb37ecd341864930cedf092a0e29dd977a91ebb6edefc1f4f7ad33ff07e25762259396d4066f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads