96e8dbc97ebfc6e7415645e9c420384a0e3c1d1bf0eded5ad9616e7802fafc66

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-03-2022 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DTO 160322.pdf
Size

273KB
MD5

5ad39bb320abb7c238199f279b5ba955
SHA1

016f190db51b5fba8636f059b68f05521f5d19b8
SHA256

96e8dbc97ebfc6e7415645e9c420384a0e3c1d1bf0eded5ad9616e7802fafc66
SHA512

cffba4dd4b8b91b6277a878937c25082a0e4480893cc85fb776b3f5a842339ef8c1bf3ef26b35a6ba917e68b62317a24ec04d5328a0c588a3b4036a24afc9e06

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AdobeARMHelper.exe

pid process

1132 AdobeARMHelper.exe

pid	process
1132	AdobeARMHelper.exe

Drops file in Program Files directory 3 IoCs

Processes:

AdobeARMHelper.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_426775693124392912215952192141335398417.msi	AdobeARMHelper.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exe

pid	process
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
2816	AcroRd32.exe
64	AdobeARM.exe
64	AdobeARM.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe
1132	AdobeARMHelper.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

AdobeARMHelper.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1132	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	1132	AdobeARMHelper.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeCreateTokenPrivilege	1132	AdobeARMHelper.exe
Token: SeAssignPrimaryTokenPrivilege	1132	AdobeARMHelper.exe
Token: SeLockMemoryPrivilege	1132	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	1132	AdobeARMHelper.exe
Token: SeMachineAccountPrivilege	1132	AdobeARMHelper.exe
Token: SeTcbPrivilege	1132	AdobeARMHelper.exe
Token: SeSecurityPrivilege	1132	AdobeARMHelper.exe
Token: SeTakeOwnershipPrivilege	1132	AdobeARMHelper.exe
Token: SeLoadDriverPrivilege	1132	AdobeARMHelper.exe
Token: SeSystemProfilePrivilege	1132	AdobeARMHelper.exe
Token: SeSystemtimePrivilege	1132	AdobeARMHelper.exe
Token: SeProfSingleProcessPrivilege	1132	AdobeARMHelper.exe
Token: SeIncBasePriorityPrivilege	1132	AdobeARMHelper.exe
Token: SeCreatePagefilePrivilege	1132	AdobeARMHelper.exe
Token: SeCreatePermanentPrivilege	1132	AdobeARMHelper.exe
Token: SeBackupPrivilege	1132	AdobeARMHelper.exe
Token: SeRestorePrivilege	1132	AdobeARMHelper.exe
Token: SeShutdownPrivilege	1132	AdobeARMHelper.exe
Token: SeDebugPrivilege	1132	AdobeARMHelper.exe
Token: SeAuditPrivilege	1132	AdobeARMHelper.exe
Token: SeSystemEnvironmentPrivilege	1132	AdobeARMHelper.exe
Token: SeChangeNotifyPrivilege	1132	AdobeARMHelper.exe
Token: SeRemoteShutdownPrivilege	1132	AdobeARMHelper.exe
Token: SeUndockPrivilege	1132	AdobeARMHelper.exe
Token: SeSyncAgentPrivilege	1132	AdobeARMHelper.exe
Token: SeEnableDelegationPrivilege	1132	AdobeARMHelper.exe
Token: SeManageVolumePrivilege	1132	AdobeARMHelper.exe
Token: SeImpersonatePrivilege	1132	AdobeARMHelper.exe
Token: SeCreateGlobalPrivilege	1132	AdobeARMHelper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2816 AcroRd32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

2816 AcroRd32.exe
2816 AcroRd32.exe
2816 AcroRd32.exe
2816 AcroRd32.exe
2816 AcroRd32.exe
2816 AcroRd32.exe
2816 AcroRd32.exe
64 AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2816 wrote to memory of 3412	2816	AcroRd32.exe	RdrCEF.exe
PID 2816 wrote to memory of 3412	2816	AcroRd32.exe	RdrCEF.exe
PID 2816 wrote to memory of 3412	2816	AcroRd32.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 1536	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe
PID 3412 wrote to memory of 2776	3412	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DTO 160322.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95974690589BBE5D3DD4C0C25438C901 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1536

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=23B245FB8A77DDC78162D77E2786AF06 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=23B245FB8A77DDC78162D77E2786AF06 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60FBD44C13A54EFC462713614EE609A8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60FBD44C13A54EFC462713614EE609A8 --renderer-client-id=4 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job /prefetch:1
3⤵
PID:692

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BC5CEAF2D325D9C5EC696C0D6E829A7 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3AE00CE644911CC736DD7AF08E6EAF6C --mojo-platform-channel-handle=1996 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4448

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=54051CEFAAAE69DA1B3E70C408AAD281 --mojo-platform-channel-handle=2780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E76DB603489F203B967E4A71FA204D9A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E76DB603489F203B967E4A71FA204D9A --renderer-client-id=10 --mojo-platform-channel-handle=2604 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2252

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:64

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:4840

C:\ProgramData\Adobe\ARM\S\3660\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\3660\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\3660" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_426775693124392912215952192141335398417.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\3660\AdobeARM.msi
MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\3660\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\3660\AdobeARMHelper.exe
MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
527c3b2b764808236c24a5564d26db10

SHA1
76bfbf199d89e866ffc4d9244f93ca635804db04

SHA256
8a11aa453724c1f9eff45bd0a79be447dc1c4db0d2e47e423f7ca6bb6e612f53

SHA512
d34693d05e271287448af1dc60a03ae1946a6cc268a3980eb794195aa261c974bfaebc0ca34053ef78a37d0a0ee34b614b24220bda3779b5da7d52de90ed4f97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
c5416d159dfcf9a4a881dc95efaffe33

SHA1
c940156cf8ff365d208ab0791e96fce1621e056d

SHA256
4c9a0efbbe54d2c64550a06ce16768fb569341513544dc4a696a568999e8f2c7

SHA512
9cc7bcfc502c1f36e92dad44879145d0dfeb9428b58e0de8232c67b75e1820c80d9933cc8a1f168add9c3dfda21ffb4bd5a6c4830d79952cf1553eb73d8c79f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
81eba67fb14ca23016639e8d4e55b1c4

SHA1
837debe8741884ec8e7c7020f21eae2b909356a7

SHA256
2251a0bd9eb3c0bc99e039ec46612108f4daf5527ffb26964e6e272ee7300193

SHA512
cd67d99e506c0c5195e92fbbd7f66b9e14463a43d306a5612defd588422911d3bb0b7d5ba0fa4bf95e19ca255e3a3a60051f260aec34a29ab1356d536d018284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
MD5
980932054da6c9ded5658665c814ba24

SHA1
a8ea6b4e600a6b07ab260738a358d731fccf439c

SHA256
bc53a4f22473a73fa64047866687479aca772e465a469e1acc92a352302f9f72

SHA512
352dfeb83cf414ea5d7548fae1b9eb10b97db28f53298c81cd28aa673d4f9b93d556cc46a3643ddf31f1deac2e9d9f286979859568a13c156027835e62318c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
MD5
5e948d89ba0f1993e6489fef3bb112da

SHA1
4223f8ec97e4874011d0caa3ccec0e3d93e67064

SHA256
7c3a33788ef7d1a7279bc17c99396b866e44d2c7e421c183c3da7ad795843d02

SHA512
d5e50dc98d0ea27edc481d09002ffcb7813978efb3fefbbb413be1911a37b70bb45f14b1dba9d184ba71c9f806dcf5926e3720e6b91678bf448af97ee6a65e93

Download Submit