4c7ebef3c3c7c9a6e65585d82865d53482fc342dcdaed8bc0bb1edf0319ec581

General

Target

4c7ebef3c3c7c9a6e65585d82865d53482fc342dcdaed8bc0bb1edf0319ec581.pdf
Size

66KB
MD5

f32c4f6c8c887a02273a573230cfb7a1
SHA1

e8528a1b5ec8f2be3698b4728420aa6680364d06
SHA256

4c7ebef3c3c7c9a6e65585d82865d53482fc342dcdaed8bc0bb1edf0319ec581
SHA512

b232976d3d125c94f8b12e70e7ed3a39bafdc909b5980113323986d57a16eb2357d48f8e765433e1ff843a774a261def968d5038db78c735ff83b36c7fb1dee3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4772	AcroRd32.exe
4276	AdobeARM.exe
4276	AdobeARM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4772 AcroRd32.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

4772 AcroRd32.exe
4772 AcroRd32.exe
4772 AcroRd32.exe
4772 AcroRd32.exe
4772 AcroRd32.exe
4276 AdobeARM.exe
4772 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4772 wrote to memory of 1888	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 1888	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 1888	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 3360	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 3360	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 3360	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2832	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2832	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2832	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2364	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2364	4772	AcroRd32.exe	RdrCEF.exe
PID 4772 wrote to memory of 2364	4772	AcroRd32.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 3096	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe
PID 2364 wrote to memory of 2332	2364	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4c7ebef3c3c7c9a6e65585d82865d53482fc342dcdaed8bc0bb1edf0319ec581.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:1888

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:3360

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:2832

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=36E34C5979DB70C376743D76E6921858 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B6D721BCE4ECF99DB25B47CDEC1AD7B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B6D721BCE4ECF99DB25B47CDEC1AD7B9 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2332

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C5BEA9BA0A8C84F6F2F0921470B03FE0 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF79998F8CF8C140A3EF3F5E468CBD32 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D7F9ABBB7DA9E96CFB857BF59888665E --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:1376

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3754DE2148A744BE096277108B4C923F --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5096

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=751A56ED56CEF8EC194A53C88875AE44 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=751A56ED56CEF8EC194A53C88875AE44 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
3⤵
PID:396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C7D63FF4A0795F7CD5A25CE16636942 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3620

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=49E2BE7788C3A3E3767D34ADACE12DC0 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3776

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=758C7CF31FBDE0DA4A87C8DAD095FC6D --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=691FF4A80FB3D36696A6E663768B4E50 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=691FF4A80FB3D36696A6E663768B4E50 --renderer-client-id=7 --mojo-platform-channel-handle=2228 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1492

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links
Filesize
128KB

MD5
aa5dab2312d1574b321e82a45bbe61fd

SHA1
c9eaf0265c348d745375845b3197777b2a079abd

SHA256
f9f6b13a7589f89b5b93a481bb7fb04d357b24ee41397ab8d0af14ccb8ee0136

SHA512
f30c26967dc7baecc00985b1209a7aae6ce33bf3618fd6d5f4e94ad5b0965f081150f5b7210567cea5eba4b5e6e4c6d445cacc5e5fc2bfd3ec01fe4d67907ddc

Download Submit
memory/396-157-0x0000000000000000-mapping.dmp

Download
memory/1376-151-0x0000000000000000-mapping.dmp

Download
memory/1492-171-0x0000000000000000-mapping.dmp

Download
memory/1796-149-0x0000000000000000-mapping.dmp

Download
memory/1856-146-0x0000000000000000-mapping.dmp

Download
memory/1888-130-0x0000000000000000-mapping.dmp

Download
memory/2332-138-0x0000000000000000-mapping.dmp

Download
memory/2364-133-0x0000000000000000-mapping.dmp

Download
memory/2832-132-0x0000000000000000-mapping.dmp

Download
memory/3096-135-0x0000000000000000-mapping.dmp

Download
memory/3360-131-0x0000000000000000-mapping.dmp

Download
memory/3620-160-0x0000000000000000-mapping.dmp

Download
memory/3688-168-0x0000000000000000-mapping.dmp

Download
memory/3776-165-0x0000000000000000-mapping.dmp

Download
memory/4276-175-0x0000000000000000-mapping.dmp

Download
memory/5036-143-0x0000000000000000-mapping.dmp

Download
memory/5092-176-0x0000000000000000-mapping.dmp

Download
memory/5096-154-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads