13ecb35ec660161bb8b41e544eb5e4c58a51e60451fc809d04d49934135df044

Analysis

max time kernel
128s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf
Size

577KB
MD5

4ab83d225b09c4ba7ed395a9a0333b4c
SHA1

6dad4fbb5de3e54b477bd3f68317977ea7802c66
SHA256

1d7b5b8bfeea1d2e9e97ad5336dc1402b151afcb5d50ce3ca618de7a77d23a16
SHA512

35871af277930921ce76646b3efa72512866ddb31cebf12201229e51d9737921c913d2c9516538de0136bfc9cde4c45fb7eb11c605855078ea880236d8d2b6d5

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AdobeCollabSync.exeAcroRd32.exe

pid process

1788 AdobeCollabSync.exe
4092 AcroRd32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

1788 AdobeCollabSync.exe

pid	process
1788	AdobeCollabSync.exe
4092	AcroRd32.exe

pid	process
1788	AdobeCollabSync.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4092	AcroRd32.exe
4700	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 4092 wrote to memory of 1896	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 4092 wrote to memory of 1896	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 4092 wrote to memory of 1896	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 1896 wrote to memory of 2380	1896	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1896 wrote to memory of 2380	1896	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1896 wrote to memory of 2380	1896	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4092 wrote to memory of 1788	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 4092 wrote to memory of 1788	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 4092 wrote to memory of 1788	4092	AcroRd32.exe	AdobeCollabSync.exe
PID 1788 wrote to memory of 2228	1788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1788 wrote to memory of 2228	1788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1788 wrote to memory of 2228	1788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2380 wrote to memory of 1852	2380	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2380 wrote to memory of 1852	2380	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2380 wrote to memory of 1852	2380	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 4092 wrote to memory of 3944	4092	AcroRd32.exe	RdrCEF.exe
PID 4092 wrote to memory of 3944	4092	AcroRd32.exe	RdrCEF.exe
PID 4092 wrote to memory of 3944	4092	AcroRd32.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 1128	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3736	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3736	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3736	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3736	3944	RdrCEF.exe	RdrCEF.exe
PID 3944 wrote to memory of 3736	3944	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LifeShare Transplant Donor Services of Oklahoma, Inc. INOF.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=1896
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:1852

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=1788
3⤵
PID:2228

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=356316174CAD0D2D7556E0F040E73793 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1128

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24564E8BF8967EFCAB4141BD0DCB433D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24564E8BF8967EFCAB4141BD0DCB433D --renderer-client-id=2 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BF8EA974F2BC5CD79EF302466FA3E4D6 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4164

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24C3CAF48E87A99A651EE602816A8C6D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24C3CAF48E87A99A651EE602816A8C6D --renderer-client-id=5 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9692A2B29C297AA4E18E9938901FB38B --mojo-platform-channel-handle=1868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F36E1A0309D5C3E2150EC9F330DDDAF --mojo-platform-channel-handle=2864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4464

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9C9402105D679FF324E0B5C04CF13FB7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9C9402105D679FF324E0B5C04CF13FB7 --renderer-client-id=10 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4548

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4824

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
014a2d746cf34d22ceacdce615ddf220

SHA1
ad2ba349fd481b153bfabebcb5f06dba9fe6ec9a

SHA256
0f89b9bf009908b04fa2a06765607f361885290f86e60f19e782d80e224989ef

SHA512
27e04f7377fa152cf27fe586193dca10bcfa1877ef9ad80228bda8a2589c368ce2f1dae8dac0f8932c5fd364c096d5f11c17d4e380e90e47986c1c211ddd9447

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.log
MD5
5e9e7e17dd193cbf1f9e06abc7dd63ac

SHA1
e733a2b5c700eeeefece7a22a72aefbd2366bfe4

SHA256
410647cbde9ed8569a9c01d8fea2952fdda3b9f90c20a467d4889a984994229e

SHA512
d2ddf9907c00ae29493ba9ec99572d4eae6f6f60a03d967a2d8721132ff07a9b5e3e4f0a5cb30a0e23f9d4338679ab8b20865a389a6d98e8be054f3b28ffe7eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
f1517e02b00c8cea01d5494b3837a216

SHA1
c4d11b3114610da3d19c94f9128711ed7a4d3b3e

SHA256
8c20ca2731bb08e795026ace1e31e2e61547d22f91e5ec7f20a863092d303248

SHA512
21493fefa5215e83c57226f4356f7213da43498a0cea1633335c3dbe2579b9373739cd79295b56c6a9736ea6c9ee37ec90927fc8d1fdb1af7c6a02bd5ba09bd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
760c4ea0420b88a29791a3ce3b28d934

SHA1
7b1ad99d76fa77fd8922ff06420aa4c75f74a46d

SHA256
f48aecca80cabbd90735b02a0d90808b5481c5a70e8f27db54564b171eb92c50

SHA512
1756858b6ee0690eb4c344b7907f46ea8ad4ee5de343e008fd1c3e25580a350b48c05bdc7f42d1f1ec9e78f8dedba88bc299a961e1131ef8423af94be82e2f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
af019db0d9beac64e6dde4864e14b618

SHA1
742c4edb40244dcd85dd42db740b94281f3e14ef

SHA256
a1d23304bb35278ea702ccab423ebdb56c29a2cfbf56ce3f46819646c5db379b

SHA512
e2a8e0d25374638030ca73c8cc27cf4771d27ced98bce115b7cdb43552cec1053040ebbfb656c2f80bab2526f125c5d295d44229b22cfec9db949bc62458b003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
35dc9cfdf01fc1d944725b1c7b6bb884

SHA1
b25a2dddb356ec5753072d406f020de1c8adb66b

SHA256
2c22d2a9e5ab2c7f272d7d79a0aaf604be210c6a990512e67e1151f35609ccdb

SHA512
8c0da608c103da013505514f2395827f23abaf64dfa99b135634571eb62b3929ad05e4d5f6f66459beb5617b9b45d7c957eba5ea3e24cbeea70860630d47e1bf

Download Submit
memory/4824-159-0x0000020564860000-0x0000020564870000-memory.dmp

Filesize
64KB

Download
memory/4824-160-0x00000205648C0000-0x00000205648D0000-memory.dmp

Filesize
64KB

Download
memory/4824-161-0x0000020564BE0000-0x0000020564BE4000-memory.dmp

Filesize
16KB

Download