86d131367fa65120f9268b0a71f17bacf8109277e99dd9f1f3b89d90b9ba58a5

General

Target

86d131367fa65120f9268b0a71f17bacf8109277e99dd9f1f3b89d90b9ba58a5.pdf
Size

360KB
MD5

bc03f92d232be59a9a0a8531521dee3d
SHA1

ea84dbe0c05b8618f57310d5a6e03ccea5200377
SHA256

86d131367fa65120f9268b0a71f17bacf8109277e99dd9f1f3b89d90b9ba58a5
SHA512

017a2cefc2b4d35cedda7a387007397ea0212d8269ea86d2ad5ae2ba655b2cba46b417b62397c1e908d1745784544c89ca31b75f88863a3dd7bf24dff74d0a6d

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1416	AcroRd32.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe
1072	AdobeARM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1416 AcroRd32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

1416 AcroRd32.exe
1416 AcroRd32.exe
1416 AcroRd32.exe
1416 AcroRd32.exe
1416 AcroRd32.exe
1416 AcroRd32.exe
1416 AcroRd32.exe
1072 AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 1416 wrote to memory of 540	1416	AcroRd32.exe	AdobeCollabSync.exe
PID 1416 wrote to memory of 540	1416	AcroRd32.exe	AdobeCollabSync.exe
PID 1416 wrote to memory of 540	1416	AcroRd32.exe	AdobeCollabSync.exe
PID 540 wrote to memory of 1424	540	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 540 wrote to memory of 1424	540	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 540 wrote to memory of 1424	540	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1424 wrote to memory of 1312	1424	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1424 wrote to memory of 1312	1424	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1424 wrote to memory of 1312	1424	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1416 wrote to memory of 1412	1416	AcroRd32.exe	RdrCEF.exe
PID 1416 wrote to memory of 1412	1416	AcroRd32.exe	RdrCEF.exe
PID 1416 wrote to memory of 1412	1416	AcroRd32.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 1708	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe
PID 1412 wrote to memory of 3396	1412	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\86d131367fa65120f9268b0a71f17bacf8109277e99dd9f1f3b89d90b9ba58a5.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=540
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:1312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:3008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=316852BC8795C8DA9F692829640FCD52 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=316852BC8795C8DA9F692829640FCD52 --renderer-client-id=2 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BBF1C014FCAADFBA4A558BC03324D849 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8357CA4E9EBBA45FB8556D2FFCD36608 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8357CA4E9EBBA45FB8556D2FFCD36608 --renderer-client-id=4 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
3⤵
PID:424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7C57316E487F94798C5E05DE7A11A135 --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC28E8E8B653E6ECEF36AA8939788B39 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=918605EAD2C73F43B39C3C02DA6520CF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=918605EAD2C73F43B39C3C02DA6520CF --renderer-client-id=7 --mojo-platform-channel-handle=2896 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=00520DFA3B1FA54DDD8A2C5D253C8984 --mojo-platform-channel-handle=2748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1420

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:2036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
MD5
fd2af287cd43fb05bdb7d47b04b207a8

SHA1
088d47350b6c1e028c687b22867bb8ab5ce81ece

SHA256
288b0813898968121a25ad0fedfca4015c9958068c6e94a3ef0f796dad371594

SHA512
7f2c2026e452523f82d0e8c1b31ec5a1679700a977846d43f92029ae0b5a343becd58b8ef0f2623eeb12217e468839555029a8ae7cad52b99f0388f313c6b833

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
5bfa532b5eaee5d5a34c4cc8583cdf9a

SHA1
c1a5b3d9d855d4353a1fd9b4e6043a46c328d9f9

SHA256
ac33a66eb0c7afbf19d8b11a24fd9c4de8a872daef33ebc9b25be7bfa64f0924

SHA512
93246e6b53168107de706bb30740e0b6ed115de53b987d7225cb45f4121495f8d6baa241a0e2922e210a8780da1b8935a7199aa583b5708352c0bc5bee81eb01

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
MD5
82e610f5ac37aed84979da07c9d268db

SHA1
ae5b164c41ca332f8c5a2d247ac7620eea8ce2fb

SHA256
9f38d915229d92a3a7f6332027ec95006f20e2c29adb660cef8c999d780cbaba

SHA512
123871c5eb24a66d2518327cd09c076c08570fc82fc2b3949d17f7ce93698a412a01d3fdb3a88a695c7f403bfed3367bda87788b2a9500dcffe105ddd47f9e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads