13ecb35ec660161bb8b41e544eb5e4c58a51e60451fc809d04d49934135df044

Analysis

max time kernel
122s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LifeShare Transplant Donor Services of Oklahoma, Inc. MSA.pdf
Size

716KB
MD5

27f4c66189678891f158c1e1b0993397
SHA1

d26d719b9c2461814c4faaea4ceaf524003585fe
SHA256

f858db3fac905317308bb2fa24d391d37ce5b2cef5e7eb01fa37b20512d7dae5
SHA512

37764a859575662037b8713500c05eeeea0bdabc5252d0a7675688720004783e44a170b2b90e61c961441223bf51204729d528c7efd4c9efd7c22b30ab03fd75

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AcroRd32.exe

pid	process
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AdobeCollabSync.exeAcroRd32.exe

pid process

4748 AdobeCollabSync.exe
1224 AcroRd32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

4748 AdobeCollabSync.exe

pid	process
4748	AdobeCollabSync.exe
1224	AcroRd32.exe

pid	process
4748	AdobeCollabSync.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
2084	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 1224 wrote to memory of 2592	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 1224 wrote to memory of 2592	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 1224 wrote to memory of 2592	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 2592 wrote to memory of 2788	2592	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2592 wrote to memory of 2788	2592	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2592 wrote to memory of 2788	2592	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1224 wrote to memory of 4748	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 1224 wrote to memory of 4748	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 1224 wrote to memory of 4748	1224	AcroRd32.exe	AdobeCollabSync.exe
PID 4748 wrote to memory of 368	4748	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4748 wrote to memory of 368	4748	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4748 wrote to memory of 368	4748	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2788 wrote to memory of 4184	2788	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2788 wrote to memory of 4184	2788	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2788 wrote to memory of 4184	2788	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1224 wrote to memory of 4040	1224	AcroRd32.exe	RdrCEF.exe
PID 1224 wrote to memory of 4040	1224	AcroRd32.exe	RdrCEF.exe
PID 1224 wrote to memory of 4040	1224	AcroRd32.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 2104	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 4396	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 4396	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 4396	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 4396	4040	RdrCEF.exe	RdrCEF.exe
PID 4040 wrote to memory of 4396	4040	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\LifeShare Transplant Donor Services of Oklahoma, Inc. MSA.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2592
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:4184

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4748
3⤵
PID:368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0515A775EC6809257C42262F84CE6A96 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2104

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C80559C7104DA73B1BF8F510D25D7889 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C80559C7104DA73B1BF8F510D25D7889 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A820A303C26DC5CA33D1961CEEC56403 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DC2341DBBE8D8ABE5480386582DA9DC5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DC2341DBBE8D8ABE5480386582DA9DC5 --renderer-client-id=5 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B9462ADB2747D3BDA79163F29CD9FC53 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4428

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1508A48892C3757BCA4CB8A3514B1D3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1508A48892C3757BCA4CB8A3514B1D3E --renderer-client-id=7 --mojo-platform-channel-handle=2764 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4132

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=892EA11291BC10F0010A7DAF45969E27 --mojo-platform-channel-handle=3164 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3532

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:2024

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
b4754e19bb8ede57b309cd1bf2e68f15

SHA1
c4e8738a55ea6897bf0da9a76f7e8827e21dc3ea

SHA256
fca29e2c43b8cdcc3e41251d0d8daf12e71197b33cc6490f740ad0db142b7b0c

SHA512
bd64a3dabd8c5a5f03f591136931653cd4f02383e5f3c9adc777673721beec9ba5c9f1f8bef7c9c651a081148fd16e1258393d473c6643635451f26696dff805

Download Submit
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-14.log
MD5
1a1d8f03d31a349fc1959883519878e1

SHA1
307983049f85a0d18fd2570b230337c2d189a43c

SHA256
0c73134c547b53fafb58c4fdb0bebf11305484af5951d80dd5f211855aee0085

SHA512
fad92a3bbadb61d5711bcbec81cab17ab9ca149c11ca0c93c504735cbcee4af0699719aed5a4efffe9c1bfc80493491bb3a3b121dbfcdd4ece6f087a406c6d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
d21ecbeeecb43693d5ad48c6e2775c44

SHA1
a9c27d10fe3874e880cd27b457ee3fc437c6e082

SHA256
2469b34ada5a141b4a6f8e6e42df4b7d0e8192f1d36baa75778e24c13e3d583e

SHA512
722597f40adb319b47d1649442154629863377ba15540a3975c94b4b4cd01831e5ed211dff6dff26ebabe5aa3507518f64c37a810c0d802efdee298e1d5b894c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
68c2b5a86618c32405ef24cdccd90609

SHA1
6d84f002c5cf7734ee9930c0e88b51e571556be7

SHA256
2eb5d09deecb57f97f399d108246f669954545135e08ca5e5cc0f768d3079886

SHA512
a49b4decaf9e17ab2b7fb4d985cd89e9b193fbf51de33a3ddb3918947c91d1810b550d6056e353830be389c5b7309a30ba0945c40fbc1bc77c69eea67301cb7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
af019db0d9beac64e6dde4864e14b618

SHA1
742c4edb40244dcd85dd42db740b94281f3e14ef

SHA256
a1d23304bb35278ea702ccab423ebdb56c29a2cfbf56ce3f46819646c5db379b

SHA512
e2a8e0d25374638030ca73c8cc27cf4771d27ced98bce115b7cdb43552cec1053040ebbfb656c2f80bab2526f125c5d295d44229b22cfec9db949bc62458b003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
321b580ee7ba2b4858346a2b91cb294e

SHA1
0c7661947f5f8f7443706d0a45316e0243356f79

SHA256
73bbc9c2450136d3429bffbb0bf1473966d9308d8f43616ae42207b564f12d1f

SHA512
ad5178536ad7a0888ccf1ecb6ea7e1396a5a095c1d7f90cf96367b0693d258b48a01c2ae8d90b2b9f5cfadc80c178e3762fa049fa4bb665f6193b7310eec1bb9

Download Submit
memory/2024-160-0x000001B29D060000-0x000001B29D070000-memory.dmp

Filesize
64KB

Download
memory/2024-159-0x000001B29C760000-0x000001B29C770000-memory.dmp

Filesize
64KB

Download
memory/2024-161-0x000001B29D3B0000-0x000001B29D3B4000-memory.dmp

Filesize
16KB

Download