cb29eb9bf7a1fa4ea45b89617add4eee5fefa37e330e157721415406b713ba98

Analysis

max time kernel
138s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
31-03-2022 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fw8imy.pdf
Size

278KB
MD5

0fe7463a38e2f783587127f24cc70ffc
SHA1

1e31bc6f553edbb62f23f0b79b5244baf3ed12ba
SHA256

2d3048e7d83485dde66e8d7904411cf577e5d2f73c71541c804d9dcb1bfb0493
SHA512

3a83f54caa0e702726beba9415e3e629f637adf04237da7d4292ba6ec6b87970f395abc6e51bea5013f7b1c935a6a8929bcd21fcb35b6dce5103a5b15c99ef45

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
4720	AdobeARM.exe
4720	AdobeARM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AdobeCollabSync.exeAdobeCollabSync.exeAcroRd32.exe

pid process

3604 AdobeCollabSync.exe
2420 AdobeCollabSync.exe
2296 AcroRd32.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AdobeCollabSync.exeAdobeCollabSync.exe

pid process

3604 AdobeCollabSync.exe
2420 AdobeCollabSync.exe

pid	process
3604	AdobeCollabSync.exe
2420	AdobeCollabSync.exe
2296	AcroRd32.exe

pid	process
3604	AdobeCollabSync.exe
2420	AdobeCollabSync.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
2296	AcroRd32.exe
4720	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 2296 wrote to memory of 4788	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 4788	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 4788	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 4788 wrote to memory of 4792	4788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4788 wrote to memory of 4792	4788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4788 wrote to memory of 4792	4788	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 3604	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 3604	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 3604	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 3604 wrote to memory of 1312	3604	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3604 wrote to memory of 1312	3604	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 3604 wrote to memory of 1312	3604	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 2420	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 2420	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2296 wrote to memory of 2420	2296	AcroRd32.exe	AdobeCollabSync.exe
PID 2420 wrote to memory of 3368	2420	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2420 wrote to memory of 3368	2420	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2420 wrote to memory of 3368	2420	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4792 wrote to memory of 372	4792	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 4792 wrote to memory of 372	4792	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 4792 wrote to memory of 372	4792	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2296 wrote to memory of 4548	2296	AcroRd32.exe	RdrCEF.exe
PID 2296 wrote to memory of 4548	2296	AcroRd32.exe	RdrCEF.exe
PID 2296 wrote to memory of 4548	2296	AcroRd32.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe
PID 4548 wrote to memory of 2104	4548	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\fw8imy.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=4788
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3604
3⤵
PID:1312

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2420
3⤵
PID:3368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DA3C2989BD9448D68377D18163490AF2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2104

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A7F7A1990C79B603F48645AB144C824D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A7F7A1990C79B603F48645AB144C824D --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1664

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=171BE62392FD118A10B4D88791099624 --mojo-platform-channel-handle=2288 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7D254F0DA9432605814CB8CAD5422726 --mojo-platform-channel-handle=1688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4296

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC89FB7C14739D9DB3886E488E524DFD --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=909D6F182BF1D21F866D496702B26ECB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=909D6F182BF1D21F866D496702B26ECB --renderer-client-id=8 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3848

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=729E602C9C8637398AB528EC90A5B3A5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=729E602C9C8637398AB528EC90A5B3A5 --renderer-client-id=10 --mojo-platform-channel-handle=2600 --allow-no-sandbox-job /prefetch:1
3⤵
PID:832

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB
Filesize
24KB

MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db
Filesize
4KB

MD5
db094082d4f0575ec4b04cb4c4ed7b2f

SHA1
acbf2301b40ac443be9f5af638c7164d3d326a31

SHA256
647d621210c2a281180a1e678b7be08962610a0e1754bd310c5c6c558a8c5c98

SHA512
48e2889a52fbcae6e7c3004e4feb3f4b1ce32c4e441ba05e24f79c869561bbbcb95ecc0ba1e9743595ecd1f9a6480ae5b2f78af20790f037e39e58902b0db2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db-wal
Filesize
132KB

MD5
9d334f7f000823641c37ba7e752c3b64

SHA1
3bb51951f0386ba4b28c1865e39c3c5099365697

SHA256
31a498d55b8fd7e4b548b9ad48189e4ee23b083ae439ba801538a44a1664c0be

SHA512
c3e60380bd154779a4dcded1d964979f96177cbead71f734fdc40e38cbfe2a28a70ef588a3c04a1b1f89862a0b39e36490674435abd78e3fefeed36a09cab531

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-31.log
Filesize
2KB

MD5
9ed930f11322db6064a2d828646d0104

SHA1
47c247c02f56c229e89ed667eb7cfc08ad617758

SHA256
c903ecdc11c084bdaafc2d9ee26ef3245b1fff22e9e733180bb99a999eca1177

SHA512
59e687a64be41bf36ecf87f632727683bafa5a9df2bb5eff37c5b0f20707e8532960d992d0426f38481e96570564f5960287efe6771c0f11f32c1c16a829b2f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-03-31.log
Filesize
4KB

MD5
8a8a87aac9e90cc4c7ca8bbadc4134ce

SHA1
f5b2e901b179f9c034c33a97bae708f6f8ab60f6

SHA256
23da18d756dcc8719530bb53d1db972f3b5e41ce3183ad880c1181cef97b4546

SHA512
a9b47817b1defa039c0120eb62e0dc5c7d22cf771fbd3591e2a4864ce678d60ff662a59d09063a5931084575029980b1cb402100ec97d220bf7281ca5fe34c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
737845a730f039e6657d574100960508

SHA1
465c2f0dff8b87bfedbe8cf111f0bdf8025a75d8

SHA256
72b83a6b8c64b76c030b550863183e8dd58bb4a6a832c203adeac34861be98ff

SHA512
1961b6a2cc0e7aa3c29d3027ccfed3761c16e8fc4456638d0187ca3deebf70cb35a3c0ab38e076b6a19cf0d7aeef63d39984ab5914a4cd57cf0fbaf846052939

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
9e38011b266ba43d6908655c7e7d481c

SHA1
b1b8e8c1e53359188492f08e91ed13c9f41e61be

SHA256
520c43511a6bff4dfacaf7a9835f1bf1cf95c0c4dddfa382b20ccd666fc40c61

SHA512
48b134c66cbede90c74eee8e161cf4122f857521d134e20a117cff7bca73b10c684484c2d6998211d364a93bae7da0cd3fe34e3290962ce4e79c915db6ace08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
Filesize
3.0MB

MD5
9cec97c16e3a5dbe230626186c3d1be2

SHA1
c73e12e7cbec07090f9e7a81dbf4f64fedb095c4

SHA256
a41aa6977dfa88c854196d12262d7685044c7634b58ca690c91a094e41554bff

SHA512
d53b2dde46495ad6698c3094ca72f7106cdeb97f298caec492992b35c0c76094603744d66469080069d3d192c27256e687faea146c7f63bb215f92d3f034c860

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
9b4f9f2ecf763839bc060a7f7818c930

SHA1
380ff15213fe0139d3cdd0d2d469265eba68bd51

SHA256
51330aad29c0c135697a0eb9407986d54dc02834c8bacbbc72b0bc6a6dcc631b

SHA512
1045082f4f276d594a6796895d9ca6bbf21fdc6e80bc90566593b2da0aea56b92a8d78280b8c5786e5fe0363407642efb05c191658764f5c62647513f29a4296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
434B

MD5
ce3902db7524b0b22d00da71fe506503

SHA1
56e5d5e714d207ffd592d06a0fe1f1aff6e94475

SHA256
6cf63af46aaa7bfa20577f95b80ed801e8c445af5a3c870c15d19b1115bb2d85

SHA512
25fabeae8b4ff8d59a4f87a136d570079f31b3287ffff6578aa88167c34f59bd83aca363a57832976bc0bc2ac41d80fee1672b551eed40752e10823b3d32e2dc

Download Submit
memory/372-143-0x0000000000000000-mapping.dmp

Download
memory/796-157-0x0000000000000000-mapping.dmp

Download
memory/832-173-0x0000000000000000-mapping.dmp

Download
memory/1312-133-0x0000000000000000-mapping.dmp

Download
memory/1596-178-0x0000000000000000-mapping.dmp

Download
memory/1664-152-0x0000000000000000-mapping.dmp

Download
memory/2104-149-0x0000000000000000-mapping.dmp

Download
memory/2420-134-0x0000000000000000-mapping.dmp

Download
memory/3368-135-0x0000000000000000-mapping.dmp

Download
memory/3604-132-0x0000000000000000-mapping.dmp

Download
memory/3848-168-0x0000000000000000-mapping.dmp

Download
memory/4232-163-0x0000000000000000-mapping.dmp

Download
memory/4296-160-0x0000000000000000-mapping.dmp

Download
memory/4548-147-0x0000000000000000-mapping.dmp

Download
memory/4720-177-0x0000000000000000-mapping.dmp

Download
memory/4788-130-0x0000000000000000-mapping.dmp

Download
memory/4792-131-0x0000000000000000-mapping.dmp

Download