4459f7eac498cb42ef46cab1f76b543f99f5c2c8cf354dd51fcbee61bbe622e8

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-05-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Supply Chain Agenda.pdf
Size

1.6MB
MD5

1082597094f172b9190fc6f27edd6071
SHA1

dc914329a23f930a1ae06842fbbc8c79dcd429d8
SHA256

4459f7eac498cb42ef46cab1f76b543f99f5c2c8cf354dd51fcbee61bbe622e8
SHA512

91669c0184f8836b70b123d77f9dacc004b324a7a64d7bd5c2067d8cf0c2e54fa9614778d4b89e41730642e3a35848f52c5d02a52c3c9ec4cc80def2e45b476a

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid	process
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
2772	AcroRd32.exe
4600	AdobeARM.exe
4600	AdobeARM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AdobeCollabSync.exeAcroRd32.exe

pid process

504 AdobeCollabSync.exe
2772 AcroRd32.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AdobeCollabSync.exe

pid process

504 AdobeCollabSync.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exeAdobeARM.exe

pid process

2772 AcroRd32.exe
2772 AcroRd32.exe
2772 AcroRd32.exe
2772 AcroRd32.exe
2772 AcroRd32.exe
2772 AcroRd32.exe
4600 AdobeARM.exe

pid	process
504	AdobeCollabSync.exe
2772	AcroRd32.exe

pid	process
504	AdobeCollabSync.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeAdobeCollabSync.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 2772 wrote to memory of 612	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 2772 wrote to memory of 612	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 2772 wrote to memory of 612	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 612 wrote to memory of 1996	612	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 612 wrote to memory of 1996	612	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 612 wrote to memory of 1996	612	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 2772 wrote to memory of 504	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 2772 wrote to memory of 504	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 2772 wrote to memory of 504	2772	AcroRd32.exe	AdobeCollabSync.exe
PID 504 wrote to memory of 4564	504	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 504 wrote to memory of 4564	504	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 504 wrote to memory of 4564	504	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 1996 wrote to memory of 3152	1996	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1996 wrote to memory of 3152	1996	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 1996 wrote to memory of 3152	1996	AdobeCollabSync.exe	FullTrustNotifier.exe
PID 2772 wrote to memory of 2456	2772	AcroRd32.exe	RdrCEF.exe
PID 2772 wrote to memory of 2456	2772	AcroRd32.exe	RdrCEF.exe
PID 2772 wrote to memory of 2456	2772	AcroRd32.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 632	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 5084	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 5084	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 5084	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 5084	2456	RdrCEF.exe	RdrCEF.exe
PID 2456 wrote to memory of 5084	2456	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Supply Chain Agenda.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=612
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
4⤵
PID:3152

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=504
3⤵
PID:4564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E58D99C7CCE1DC571F1B40F8188DB7ED --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:632

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=622D75FC69A91B86F3F36931C84D991A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=622D75FC69A91B86F3F36931C84D991A --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:5084

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=602D148B9DDECAC357BE89C8F4897B88 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=602D148B9DDECAC357BE89C8F4897B88 --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
3⤵
PID:1340

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=79880CA05DC7220E9261A8F133E9B32C --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1036

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=95875A1535E5FF8EC4044362C4308652 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8FBE9453A12C44C55D17D69DA81E9F38 --mojo-platform-channel-handle=2120 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4312

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
3⤵
PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db
Filesize
4KB

MD5
db094082d4f0575ec4b04cb4c4ed7b2f

SHA1
acbf2301b40ac443be9f5af638c7164d3d326a31

SHA256
647d621210c2a281180a1e678b7be08962610a0e1754bd310c5c6c558a8c5c98

SHA512
48e2889a52fbcae6e7c3004e4feb3f4b1ce32c4e441ba05e24f79c869561bbbcb95ecc0ba1e9743595ecd1f9a6480ae5b2f78af20790f037e39e58902b0db2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\eac4cf9da8b4acca06ece00ca75105a1.db-wal
Filesize
128KB

MD5
cbfdc2ab5f912ca47ae57adc1fb569d2

SHA1
f58c136ddca099657b1c705e54450d340b976ae6

SHA256
c9b2fde63d591d673310380a5f318fdaa2d8fd5fdb3adeacee69f91967571434

SHA512
1125ef00df04a16ae80209ca4a4d8969dcb27d72570a22f5aece154c848a5f6374b1386d59d5831e75174f8dae0e09daa095fd40c371881f235340a5fa108693

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2022-05-10.log
Filesize
2KB

MD5
cc2a7f57b11bb8175f49f0cb171b0f15

SHA1
aee22afbaac26c2fce21d1dc54a0c5a8e3962e09

SHA256
ecc2981191cf4c973c96d2ac0796006d74a3c09b7513b67fa8b3d2a0435d4358

SHA512
df291eb0ecda67e6246d8819866098c048da8457d5239c0c1ff1c38ae4f20cc1da085cacef4a6b1e92157b9f9cad7cafd57e31c7abb87d6da6eaf8c5cdef59d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
a0e5cf8935c97c55a7ee6613f09b0025

SHA1
362ebc98e8829fbc1f830bd99748a6310bc3f8dd

SHA256
2af7fc2684742168b03175530f26c977dda73804ffb8c279d8b0e5e736a1286a

SHA512
2b39d869c46aa397d52102e52a9824f61af0b127045f070ed6e3d6020ea16559149646be208d609ba776ba22f5e7ef5eacbe32830e7923c3f4a04a94cb0b9a83

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer
Filesize
92KB

MD5
df2e1492dd0ceec4aec01fff71fb8515

SHA1
88f98d508a7b38fa9692f3211e6ca95004ca437c

SHA256
a4ef14a4c80b6993b96c7f326c0844a9d6f3fb53480008f226ec9bcf1043929c

SHA512
579e2e4e654d2fd29b97c2170c950d74686696c9d42b00b991edec105ecc1e906931657992b023de5ddd9b8d3efd5cc08bb7c3dde8ebbba1b2b57d92458dc507

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18
Filesize
3.0MB

MD5
b983ed67c040146ab7210bcfaac312a0

SHA1
3b7842b1511a5a1e05662eaab98151728bb7b74b

SHA256
720573152843a6709627f34cb73a1380f69699e6a60e5211bd352b3d35371f26

SHA512
d41488b488e41088605a3efb8c45664a8e0568534895ba8293ecf90c2b5deb60c803bcb71cecea8d5361ea173c7d0dbcaed6ad000e51bc4285d9ba7d2204b19a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
471B

MD5
440eb3ee2a72891d4a6f095b1ea259d5

SHA1
b1234ddb19e3175479bd65c06fd3fc7dda4844ea

SHA256
dd51d916edb47b5cc652d75f5623c9f258a97a15f6be3583b3f9289e3d8a0c11

SHA512
8637290e5f3397232f7c7b7b1ec88a5266a513fc1778e78d7e7ae562ff069f307537eaccd215e1d5f5bbd3c7ba192b8c1dcd257fc85b0dca48714c9df0798ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
Filesize
434B

MD5
370479a827ef860bfdbd47dc03a04d0b

SHA1
cf7a117ee9391b859ab544e59202b0aa5cf292c5

SHA256
799a00087035ff4bdb62b346cb6c1fe16c1f10c9fc1eae0609fc29524f850e05

SHA512
08c2b1f56ffe10a61c89ba4ae2e8c271988fd22f108c4586f982b8100b27c1d953499437157a6bf09424190b7aa32b820efb9c339c1105b6b83f7d5f579043d5

Download Submit
memory/504-132-0x0000000000000000-mapping.dmp

Download
memory/612-130-0x0000000000000000-mapping.dmp

Download
memory/632-147-0x0000000000000000-mapping.dmp

Download
memory/1036-160-0x0000000000000000-mapping.dmp

Download
memory/1340-155-0x0000000000000000-mapping.dmp

Download
memory/1996-131-0x0000000000000000-mapping.dmp

Download
memory/2456-143-0x0000000000000000-mapping.dmp

Download
memory/3104-169-0x0000000000000000-mapping.dmp

Download
memory/3152-142-0x0000000000000000-mapping.dmp

Download
memory/3364-163-0x0000000000000000-mapping.dmp

Download
memory/4312-166-0x0000000000000000-mapping.dmp

Download
memory/4564-133-0x0000000000000000-mapping.dmp

Download
memory/4600-168-0x0000000000000000-mapping.dmp

Download
memory/5084-150-0x0000000000000000-mapping.dmp

Download