74f8cf17b3cc70112c349d3d7da6f4861949b6c49590058c1748cf636efe91c4

Analysis

max time kernel
130s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LifeShare Transplant Donor Services of Oklahoma, Inc. MSA.pdf
Size

716KB
MD5

27f4c66189678891f158c1e1b0993397
SHA1

d26d719b9c2461814c4faaea4ceaf524003585fe
SHA256

f858db3fac905317308bb2fa24d391d37ce5b2cef5e7eb01fa37b20512d7dae5
SHA512

37764a859575662037b8713500c05eeeea0bdabc5252d0a7675688720004783e44a170b2b90e61c961441223bf51204729d528c7efd4c9efd7c22b30ab03fd75

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AdobeCollabSync.exeAdobeCollabSync.exeAcroRd32.exe

pid process

4956 AdobeCollabSync.exe
4832 AdobeCollabSync.exe
1188 AcroRd32.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AdobeCollabSync.exeAdobeCollabSync.exe

pid process

4956 AdobeCollabSync.exe
4832 AdobeCollabSync.exe

pid	process
4956	AdobeCollabSync.exe
4832	AdobeCollabSync.exe
1188	AcroRd32.exe

pid	process
4956	AdobeCollabSync.exe
4832	AdobeCollabSync.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
1188	AcroRd32.exe
3028	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 1188 wrote to memory of 4216	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4216	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4216	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 4216 wrote to memory of 1636	4216	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4216 wrote to memory of 1636	4216	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4216 wrote to memory of 1636	4216	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4956	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4956	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4956	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 4956 wrote to memory of 4944	4956	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4956 wrote to memory of 4944	4956	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4956 wrote to memory of 4944	4956	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4832	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4832	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 1188 wrote to memory of 4832	1188	AcroRd32.exe	AdobeCollabSync.exe
PID 4832 wrote to memory of 756	4832	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4832 wrote to memory of 756	4832	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4832 wrote to memory of 756	4832	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1636 wrote to memory of 3632	1636	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1636 wrote to memory of 3632	1636	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1636 wrote to memory of 3632	1636	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1188 wrote to memory of 2232	1188	AcroRd32.exe	RdrCEF.exe
PID 1188 wrote to memory of 2232	1188	AcroRd32.exe	RdrCEF.exe
PID 1188 wrote to memory of 2232	1188	AcroRd32.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe
PID 2232 wrote to memory of 2360	2232	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LifeShare Transplant Donor Services of Oklahoma, Inc. MSA.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4216
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:3632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4956
3⤵
PID:4944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4832
3⤵
PID:756

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=182C9D2F02E24DE0BA741EC242C5E943 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=97D052B863EA2F9B6A494788FD6AFF91 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=97D052B863EA2F9B6A494788FD6AFF91 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
3⤵
PID:684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6E935BD1C57A99B8D8BD4BEDD0F0F3C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6E935BD1C57A99B8D8BD4BEDD0F0F3C1 --renderer-client-id=4 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D1F39DF7309188AFD07840899F010ECF --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1072

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0EABFE526E53574FE2CCF0B6CB52E643 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4020

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE55510870FAA0D71397FF39A050F4D8 --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3EF0E613CE732764046170C183298C55 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3EF0E613CE732764046170C183298C55 --renderer-client-id=10 --mojo-platform-channel-handle=2496 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2288

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:2744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
2372187d70c98713a6d84c0d381eb928

SHA1
3a3a3db42394cfc4821fd05df016e5583be1b299

SHA256
9e3e59b0c25588d65b88eb877d2891f68736f097b9ddd4eaeccf84ecadb44eae

SHA512
0d9e93fb891e79398cfef053c10782106e34e7f12d434f794cdff210448acc7009256b1dc8b9813c7f821f4896141f5cab3266e287a9b1916a8800be3f120397

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db
MD5
db094082d4f0575ec4b04cb4c4ed7b2f

SHA1
acbf2301b40ac443be9f5af638c7164d3d326a31

SHA256
647d621210c2a281180a1e678b7be08962610a0e1754bd310c5c6c558a8c5c98

SHA512
48e2889a52fbcae6e7c3004e4feb3f4b1ce32c4e441ba05e24f79c869561bbbcb95ecc0ba1e9743595ecd1f9a6480ae5b2f78af20790f037e39e58902b0db2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db-wal
MD5
b4cd24b2859dd868be3f3a85e55eeeb9

SHA1
e0e58347fb38f98326910fd2c8b0f7fa48bb6c71

SHA256
cb7a0c68e5cb49f57498f26929dbd44163efbc52811fdedd13cc8a3310020c38

SHA512
ef7e846db44db7d19d1292a672ec774d7130e9b238f3f601068d43af12ef23cb651213fa73daa0c3dd85dde241b3b426cedfe6fad5c85136ab3bb1118e93db60

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.log
MD5
b84233553d8d31da353d4809a2ea1817

SHA1
82bcb4f67ba4e56cf10b785c823a00d9f986aa28

SHA256
2cf23de11cac2a28e634bc1213f3b6fef3012c1ac83c476e829b971c23188a38

SHA512
7e2d2aa29a4f573c056837580ffb23fe2c1fdbf35be3e2e4f0060941fc3b1ade9d1510712c449d563e145d37a351cdf43f03abf151f100a4a1294f3bd1df70bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.log
MD5
ac491637c673a4c9ec7e2b01b7af5d3b

SHA1
53752ee59094c470e54573589d1b76c99150e886

SHA256
f42df93513ec12d7deb16db4d974945dfb115dbdea32318fe2e6240a5274bfee

SHA512
e3af15b365c0bbd06b0168e1a284d23e100e22f9a43e637ced34da16abbaaa8ae4c76462f6002904da7c38884138ebb62c5781528b2f32323aa08b6d01d7fd91

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
a19990dcc3fce92ae6bf8d5a0ca01231

SHA1
f4aed9ca9a174052d2e9a69ffa9fe1415052e21a

SHA256
638b1107e0afae2f363c91c9740bb213eb463f168109ffc1ef16b45e6281f20c

SHA512
743e572073d6620450f9cda51770a5889ce05d111f9092310d11b99b03b414a55c596f3788727cdefebd212ff7a56bd6aab71ec2c1c51211fa8963cc151b908d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
2fca74b4a36eb4671e1bb40f6c7310ba

SHA1
0fba5f29ad460251641babe2439c8e8d7878a130

SHA256
831055b21cf44a6af847a0f693a1f2917ffddf247ca701a9ec6fc33c7b1e807c

SHA512
d65e4ed74d7bbef151ec71c771150668a2a5d9807e4f70c91d87e447a3ea0317b1d672ed653cd7191e650f3cb5f2f61e3d534f1ccc727e208de22c0e7870ccdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
af019db0d9beac64e6dde4864e14b618

SHA1
742c4edb40244dcd85dd42db740b94281f3e14ef

SHA256
a1d23304bb35278ea702ccab423ebdb56c29a2cfbf56ce3f46819646c5db379b

SHA512
e2a8e0d25374638030ca73c8cc27cf4771d27ced98bce115b7cdb43552cec1053040ebbfb656c2f80bab2526f125c5d295d44229b22cfec9db949bc62458b003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
935a8abe5e3dbf414d3975dc1fb69f4f

SHA1
06e46daf3f3cdd3d0db644321296a63ef060f241

SHA256
e4e51c1207983c564a68e818f0db928c17c6c02de483ed79d968906f66055323

SHA512
7e1093e028fc0a4497bff8d74d8e5fbd9e50c3d92cda529969b6d64f6540676e74eb604a3f73608638511b83329bc32a7fd09263158ae7e081178a854e78fe49

Download Submit
memory/640-140-0x0000022E0D670000-0x0000022E0D680000-memory.dmp

Filesize
64KB

Download
memory/640-142-0x0000022E0FC90000-0x0000022E0FC94000-memory.dmp

Filesize
16KB

Download
memory/640-141-0x0000022E0D6D0000-0x0000022E0D6E0000-memory.dmp

Filesize
64KB

Download