Analysis
-
max time kernel
79s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22-03-2022 08:00
Behavioral task
behavioral1
Sample
Red Cross Odessa (Ukraine) help request.pdf
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Red Cross Odessa (Ukraine) help request.pdf
Resource
win10v2004-20220310-en
General
-
Target
Red Cross Odessa (Ukraine) help request.pdf
-
Size
118KB
-
MD5
80c45d910f0a46571a3fe6e1e97a466b
-
SHA1
937cd33c45219a2513e4a19c7626e8780fc064d4
-
SHA256
54fc8526741a27a5b261717496ee8db6c4f1fc096b9ebe220a8dcb3d56faff2c
-
SHA512
9fb569906f69708943b9d044850c8b662229c201c8f73df0f4ed1ad4102afb1d54094439ed4da49a6efdf090c5cd09e6c3cbc989acb2e19aa8e830ba04cd9f98
Malware Config
Signatures
-
Drops file in Windows directory 28 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT9A2.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT442.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT1138.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT58F4.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT366.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITDBB.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT59C0.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT5A1F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT5DDA.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BITA5F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\a3f602ea4d534d006919a2613d91f9506b383314 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITE78.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT5A5F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT3F3.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\17087e6e4710e63df4fcd8834f70bc99\BIT1204.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT4BA5.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT5E58.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT2D8.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT449F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2124 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AcroRd32.exedescription pid process Token: SeSecurityPrivilege 2124 AcroRd32.exe Token: SeTakeOwnershipPrivilege 2124 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2124 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
AcroRd32.exeAdobeARM.exepid process 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 2124 AcroRd32.exe 4092 AdobeARM.exe 2124 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 2124 wrote to memory of 2796 2124 AcroRd32.exe RdrCEF.exe PID 2124 wrote to memory of 2796 2124 AcroRd32.exe RdrCEF.exe PID 2124 wrote to memory of 2796 2124 AcroRd32.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4808 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe PID 2796 wrote to memory of 4872 2796 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Red Cross Odessa (Ukraine) help request.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=32708EE62F525BA160C252BA1B63325C --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4808
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B502E470413731334D1983F3997F2FFE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B502E470413731334D1983F3997F2FFE --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:13⤵PID:4872
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B886825423B6B18C7C6CC51B792ED0E0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B886825423B6B18C7C6CC51B792ED0E0 --renderer-client-id=4 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job /prefetch:13⤵PID:3736
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5EE0B538F9B277DFFF610E7382698F20 --mojo-platform-channel-handle=2620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:1316
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=88B81DA34AD4FF699CADDB2DC0944E54 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=88B81DA34AD4FF699CADDB2DC0944E54 --renderer-client-id=5 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job /prefetch:13⤵PID:1180
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5183E4E9B467A399C61A379C3E9A6774 --mojo-platform-channel-handle=2912 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:2756
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF8DE09233ABAF9864C076EEB3BB4345 --mojo-platform-channel-handle=3024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵PID:4492
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:32⤵
- Suspicious use of SetWindowsHookEx
PID:4092 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"3⤵PID:3624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msiMD5
6f014505b038aa70695dc6557662df8b
SHA125607777270af2b0a38da97d8d98ab9bc7926980
SHA25652040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc
SHA51225c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0
-
memory/3440-135-0x0000021343A20000-0x0000021343A30000-memory.dmpFilesize
64KB
-
memory/3440-134-0x0000021342F60000-0x0000021342F70000-memory.dmpFilesize
64KB
-
memory/3440-136-0x0000021343BC0000-0x0000021343BC4000-memory.dmpFilesize
16KB
-
memory/3440-157-0x0000021346150000-0x0000021346154000-memory.dmpFilesize
16KB
-
memory/3440-158-0x00000213460F0000-0x00000213460F4000-memory.dmpFilesize
16KB
-
memory/3440-159-0x0000021346450000-0x0000021346454000-memory.dmpFilesize
16KB
-
memory/3440-160-0x0000021346450000-0x0000021346454000-memory.dmpFilesize
16KB
-
memory/3440-162-0x00000213464A0000-0x00000213464A4000-memory.dmpFilesize
16KB