63061642aed1982c2c0a0a4d850e30cd3b126c7bac21a0630625633a92997107

General

Target

GSA_Africa_SponsorshipDeck.pdf
Size

2.2MB
MD5

40fd4d9d261bbc84edfdcccddb5157e4
SHA1

1c60c7587d4c7b682b27c3a306cf48a0e477c5e7
SHA256

63061642aed1982c2c0a0a4d850e30cd3b126c7bac21a0630625633a92997107
SHA512

400b84de62b81a5bb9f7e19993580e88af456ee4cde62e9763df87349f92a4cf8419cca2f7b51ffc8a3b10504771bbbe21007db38925ca1dfec8cb6e003cffc2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AdobeARMHelper.exe

pid process

2496 AdobeARMHelper.exe

pid	process
2496	AdobeARMHelper.exe

Drops file in Program Files directory 3 IoCs

Processes:

AdobeARMHelper.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache\Arm_001824311644_622301748744004151345868292794888424.msi	AdobeARMHelper.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup\AdobeARM.exe	AdobeARMHelper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

AcroRd32.exeAdobeARM.exeAdobeARMHelper.exe

pid	process
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4372	AcroRd32.exe
4868	AdobeARM.exe
4868	AdobeARM.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe
2496	AdobeARMHelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AdobeARMHelper.exe

description pid process

Token: SeShutdownPrivilege 2496 AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege 2496 AdobeARMHelper.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4372 AcroRd32.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

4372 AcroRd32.exe
4372 AcroRd32.exe
4372 AcroRd32.exe
4372 AcroRd32.exe
4372 AcroRd32.exe
4372 AcroRd32.exe
4372 AcroRd32.exe
4868 AdobeARM.exe

description	pid	process
Token: SeShutdownPrivilege	2496	AdobeARMHelper.exe
Token: SeIncreaseQuotaPrivilege	2496	AdobeARMHelper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4372 wrote to memory of 2904	4372	AcroRd32.exe	RdrCEF.exe
PID 4372 wrote to memory of 2904	4372	AcroRd32.exe	RdrCEF.exe
PID 4372 wrote to memory of 2904	4372	AcroRd32.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2704	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe
PID 2904 wrote to memory of 2236	2904	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GSA_Africa_SponsorshipDeck.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A61BC3612B4EF339B48356CEFC0FC2D6 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=41E09F46184F3BB65C7AF5DDE892FE45 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=41E09F46184F3BB65C7AF5DDE892FE45 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A023E17954D83810318F17B3F9754598 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A023E17954D83810318F17B3F9754598 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B1DD561F39A144857E418FEDE22D5772 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAE64C80AD399E45BB569BC66CFEA62A --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=936B8C824C9B275408CCB2E1B37D38BF --mojo-platform-channel-handle=2572 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2516

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=65A1E5D8A6B9B4ED84670381969991A6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=65A1E5D8A6B9B4ED84670381969991A6 --renderer-client-id=8 --mojo-platform-channel-handle=2780 --allow-no-sandbox-job /prefetch:1
3⤵
PID:388

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:3292

C:\ProgramData\Adobe\ARM\S\1400\AdobeARMHelper.exe
"C:\ProgramData\Adobe\ARM\S\1400\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\1400" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:936

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:2264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\S\1400\AdobeARM.msi
Filesize
869KB

MD5
daef9610629678de57c4567339f6e52c

SHA1
3c2f60cce0d017c9f93fe0d09c80a7ca0dc63d0f

SHA256
9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701

SHA512
9a550ec8cb373b6ab488750aa9c679e419b8dfeddf3ccb02593c044553b5bb447516ceebc18e73db2b8c848b79f124ed6764484795b8f4a6d58d954b77f0b4a5

Download Submit
C:\ProgramData\Adobe\ARM\S\1400\AdobeARMHelper.exe
Filesize
413KB

MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\ProgramData\Adobe\ARM\S\1400\AdobeARMHelper.exe
Filesize
413KB

MD5
522026a14d6bc781d2a15c665e454310

SHA1
9451a39108326ba578793b1feb62f23a02bce916

SHA256
fd115ae8ebd2f37cf1ef72f75242206cf1331c7cb258305011302e981137ee5e

SHA512
4e4eb2f582c8590899a0ada6133b705d13775f60818f1ff4f9bb35e40e09d6570af4f7ac4c80b525b445a03702ca0f3a9867a93080f90697d8be668e2abe2fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
471B

MD5
1d481f87ae45f404314b3fd92e646462

SHA1
c2f91da2d97f01fa8bddce3f344e0c9363fcb49d

SHA256
3d4fa23b2fb6ef441eaf48fc2c9613ae1504b2678e999412c671d8937ce9f7f8

SHA512
7e666124ef820c8b5b720cda6b28b5ad21d3d194488af984652466ee26ac7473c7b55881ccd39d5925bf0bfd0f809c677933b07f6e233762381efbe74f90a39b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
Filesize
471B

MD5
67af02bb81e32e54691052d59e1bca73

SHA1
3c8c5c950a1ba02c6c6a77e15379fcba0c9ac0f7

SHA256
700c8e95c0cbafe687e9b581121d967ddc975ac1d31aee21931f20c6374cf471

SHA512
628faabfed2a314f4644b56faa365c3a01c0f679d18b88af7b01b18696e375e97515afb00900f03308996fec686e68ca89c44b2d4dcd215bbe0d150edfe0db60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
426B

MD5
1350dae2802f5c37805328fe7cd4138f

SHA1
b29efa93bd0012d702fd14c4560c77644ca95260

SHA256
08c83dab448e56d282f2b98b1980be4b9614b1cfaec6ebb7623ca9aa76363ec7

SHA512
16a030d80b185d6af29ab797e45a5ce7eb1ad75e2be81d90ac2ceffa1aaebb4ee8ebc32ffaeaf068a05f9f3bd786b1d60400c40ca47275f2e055fdc7a7ecb333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC
Filesize
438B

MD5
29e6baaedcd08b50a17cdbe483aed0e0

SHA1
8830b919f7dd693fcae376c4263700326fe2d9e2

SHA256
449cde8fcdf89d9ad028410c9d02e63c5ace6ac9421191c23f33a23cfe9309e9

SHA512
fb4899ac2ec0b4d80329de025c67b1d4e0635380cd272a9381b4cb44b92ffc8976410d76c0d57da4eed2a97736652785353ade4f4d255dfaa0e571baf7bc8cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log
Filesize
840B

MD5
c913b26a6dd3f4648f1045153818dde0

SHA1
b019e8e46e018d135a8a270ea55e090efc4c359a

SHA256
6e9bb2a3d1a59d238e94644bfb44d49c574bd1fc1a01b925a1fa4e50d701031c

SHA512
76eaebf2a0a1583fb2d4ca33d30f53ed3f61472a3ed6f96fa2350f99f89ae6b3c06a397adf7190fab3ba4b58ae3bc93a99b6ee03aaa2e6c0c98326845bffa24e

Download Submit
memory/388-154-0x0000000000000000-mapping.dmp

Download
memory/2236-135-0x0000000000000000-mapping.dmp

Download
memory/2496-160-0x0000000000000000-mapping.dmp

Download
memory/2516-151-0x0000000000000000-mapping.dmp

Download
memory/2704-132-0x0000000000000000-mapping.dmp

Download
memory/2904-130-0x0000000000000000-mapping.dmp

Download
memory/3188-140-0x0000000000000000-mapping.dmp

Download
memory/3292-159-0x0000000000000000-mapping.dmp

Download
memory/4540-145-0x0000000000000000-mapping.dmp

Download
memory/4868-158-0x0000000000000000-mapping.dmp

Download
memory/5056-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads