cb29eb9bf7a1fa4ea45b89617add4eee5fefa37e330e157721415406b713ba98

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
31-03-2022 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fw8imy.pdf
Size

278KB
MD5

0fe7463a38e2f783587127f24cc70ffc
SHA1

1e31bc6f553edbb62f23f0b79b5244baf3ed12ba
SHA256

2d3048e7d83485dde66e8d7904411cf577e5d2f73c71541c804d9dcb1bfb0493
SHA512

3a83f54caa0e702726beba9415e3e629f637adf04237da7d4292ba6ec6b87970f395abc6e51bea5013f7b1c935a6a8929bcd21fcb35b6dce5103a5b15c99ef45

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AdobeCollabSync.exeAcroRd32.exe

pid process

4656 AdobeCollabSync.exe
2512 AcroRd32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

4656 AdobeCollabSync.exe

pid	process
4656	AdobeCollabSync.exe
2512	AcroRd32.exe

pid	process
4656	AdobeCollabSync.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
2512	AcroRd32.exe
3152	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 2512 wrote to memory of 4552	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 2512 wrote to memory of 4552	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 2512 wrote to memory of 4552	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 4552 wrote to memory of 3172	4552	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4552 wrote to memory of 3172	4552	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4552 wrote to memory of 3172	4552	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2512 wrote to memory of 4656	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 2512 wrote to memory of 4656	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 2512 wrote to memory of 4656	2512	AcroRd32.exe	AdobeCollabSync.exe
PID 4656 wrote to memory of 3504	4656	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4656 wrote to memory of 3504	4656	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4656 wrote to memory of 3504	4656	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3172 wrote to memory of 1852	3172	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 3172 wrote to memory of 1852	3172	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 3172 wrote to memory of 1852	3172	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2512 wrote to memory of 5016	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 5016	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 5016	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 3204	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 3204	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 3204	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2888	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2888	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2888	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2228	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2228	2512	AcroRd32.exe	RdrCEF.exe
PID 2512 wrote to memory of 2228	2512	AcroRd32.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe
PID 2888 wrote to memory of 3208	2888	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fw8imy.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4552
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:1852

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4656
3⤵
PID:3504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:5016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:3204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D649C6BC063B0E4872A92AE0C2F8697 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3208

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5BB7A741E5A55D386C05578376C11F27 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5BB7A741E5A55D386C05578376C11F27 --renderer-client-id=2 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3760

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1549CA88761E0F5B7C0FA0E89D39D6AC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1549CA88761E0F5B7C0FA0E89D39D6AC --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3E73EBE1F5D51E497646B7E21C995D02 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3E73EBE1F5D51E497646B7E21C995D02 --renderer-client-id=5 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84E86FE995268AF663B8A4D1E01639C0 --mojo-platform-channel-handle=2828 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1332

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18753394695C807E02AA2610783DB44E --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58CC8C9A4EB14EE7B9687AF6AE12EAB7 --mojo-platform-channel-handle=2904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:2228

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:2228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
Filesize
24KB

MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db
Filesize
4KB

MD5
db094082d4f0575ec4b04cb4c4ed7b2f

SHA1
acbf2301b40ac443be9f5af638c7164d3d326a31

SHA256
647d621210c2a281180a1e678b7be08962610a0e1754bd310c5c6c558a8c5c98

SHA512
48e2889a52fbcae6e7c3004e4feb3f4b1ce32c4e441ba05e24f79c869561bbbcb95ecc0ba1e9743595ecd1f9a6480ae5b2f78af20790f037e39e58902b0db2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db-wal
Filesize
128KB

MD5
c7d70d5e3a9258f294657f465925f14c

SHA1
89904b990b11d91d5883ef538adcb85996ae0284

SHA256
46f2b3bdfddf5d5ac9c0731f80c67362082331c92eeac4926d9d6f2df85ce004

SHA512
51b45035138a4cb46689f3692f678565ac08e692c69bdaee9932efb56bd3850fe446238e5327ffc7174735d5f22483b9aa1f2fe526624d5ce78c8352d656e2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-31.log
Filesize
2KB

MD5
bd2a51afb61298c3ae36303b1c75c240

SHA1
560aaa91410332add19a07e2c8c7c8c112ce131e

SHA256
306679d943bc4d15b44d899913b9fd95d30db1378988d6622592711e64f7d211

SHA512
c21d84c8a0b9ff888991afdbb4be4f9ee6fac036b2296efc7fddd7ccf245beab9aa1303b23d3dc47877eb136dd151a07881e6fb584115a013d2b1fa1d8f160f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
267d462192c699b0e2d49fad84e241c1

SHA1
0777eebd16fc9e04454dbdbc3d47e01f5de1ffdb

SHA256
48e64ffdabc05d4f3a0214b38a8b7fe18b9e97e3480f718d5c15c6e1b73e84bc

SHA512
9946920a4fde6e62f4ed658bf02bd93716a465e767c11caac8f775c987e190ff6bba607b444d7ccde7126f3f46f8208c82e774304d9902a61025285f7f3cb6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
5541c6100f8317d4501cc98538618f2b

SHA1
b9765c11f52a43bdc79e211300bdf83a324b1ce2

SHA256
87d9bd2cd17bf1811287a74b5c108e2743d6725bbb4b59173299cfc699215889

SHA512
dafcca1e301d10d60970bedb16e4891548e78be6a9da8c49383c4fc23bd3769bd340afb035ed4e4838d75e91a726bfc48206a881d1f1d020018db7aa69a49b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
725d416f6423666c98521aa100a78b9d

SHA1
763eb2217ce9072ca89a1cd8e5515e2fa8dcc08d

SHA256
f572891dc611b1f50b2c5a4d889b737db75d965b5ba6a62d8aed0479d0fe7d51

SHA512
e886cf052d526c3cf0d012f00b9e3a87b7215c59805a237d04f7488741671db3883ea4a0c59628f6b7b25555211e96eb27ffbe842d27e700bf70f268f91bdde4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
Filesize
3.0MB

MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
9b4f9f2ecf763839bc060a7f7818c930

SHA1
380ff15213fe0139d3cdd0d2d469265eba68bd51

SHA256
51330aad29c0c135697a0eb9407986d54dc02834c8bacbbc72b0bc6a6dcc631b

SHA512
1045082f4f276d594a6796895d9ca6bbf21fdc6e80bc90566593b2da0aea56b92a8d78280b8c5786e5fe0363407642efb05c191658764f5c62647513f29a4296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
434B

MD5
f5b2541882716acef94763cbd9a4d504

SHA1
05deca08ac9b8c844fefdfaf6493777f281ad07f

SHA256
47ee41d578f265128d3c46c0d969559bd7f194b717b0e2498e7b637e0cabc37e

SHA512
b5929c613ffb24eff8129ae469472113476ebfe884cf14d5772b434054eeafbae952bc78cf49830017d9117cb8498c32655ae19bd489386f9166308b02d5563d

Download Submit
memory/476-173-0x0000000000000000-mapping.dmp

Download
memory/1332-170-0x0000000000000000-mapping.dmp

Download
memory/1852-147-0x0000000000000000-mapping.dmp

Download
memory/2228-179-0x0000000000000000-mapping.dmp

Download
memory/2228-153-0x0000000000000000-mapping.dmp

Download
memory/2888-152-0x0000000000000000-mapping.dmp

Download
memory/3152-178-0x0000000000000000-mapping.dmp

Download
memory/3172-135-0x0000000000000000-mapping.dmp

Download
memory/3204-149-0x0000000000000000-mapping.dmp

Download
memory/3208-155-0x0000000000000000-mapping.dmp

Download
memory/3504-140-0x0000000000000000-mapping.dmp

Download
memory/3548-163-0x0000000000000000-mapping.dmp

Download
memory/3760-158-0x0000000000000000-mapping.dmp

Download
memory/4232-165-0x0000000000000000-mapping.dmp

Download
memory/4552-134-0x0000000000000000-mapping.dmp

Download
memory/4656-136-0x0000000000000000-mapping.dmp

Download
memory/5000-176-0x0000000000000000-mapping.dmp

Download
memory/5016-148-0x0000000000000000-mapping.dmp

Download