e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a.pdf
1MB
21-05-2022 11:29
behavioral2
c53186df717d8037ff5edb0fc9736dda
510cf2f79270303ca5a18474ca541d0ecb20c599
e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a
4a3b8fd9d1fe648373b1f3b90e53b726c62da083feb6e70345dcd8386c04b77e85a12367e74278467e092e4a5b30f9c8c5f7174f7a83de72d951db36b763eb10
Filter: none
-
Checks processor information in registryAcroRd32.exe
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Modifies Internet Explorer settingsAcroRd32.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcessesAcroRd32.exeAdobeARM.exe
Reported IOCs
pid process 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 3324 AdobeARM.exe 3324 AdobeARM.exe -
Suspicious use of FindShellTrayWindowAcroRd32.exe
Reported IOCs
pid process 2320 AcroRd32.exe -
Suspicious use of SetWindowsHookExAcroRd32.exeAdobeARM.exe
Reported IOCs
pid process 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe 3324 AdobeARM.exe 2320 AcroRd32.exe 2320 AcroRd32.exe -
Suspicious use of WriteProcessMemoryAcroRd32.exeRdrCEF.exe
Reported IOCs
description pid process target process PID 2320 wrote to memory of 1740 2320 AcroRd32.exe RdrCEF.exe PID 2320 wrote to memory of 1740 2320 AcroRd32.exe RdrCEF.exe PID 2320 wrote to memory of 1740 2320 AcroRd32.exe RdrCEF.exe PID 2320 wrote to memory of 4512 2320 AcroRd32.exe RdrCEF.exe PID 2320 wrote to memory of 4512 2320 AcroRd32.exe RdrCEF.exe PID 2320 wrote to memory of 4512 2320 AcroRd32.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 4196 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe PID 1740 wrote to memory of 2384 1740 RdrCEF.exe RdrCEF.exe
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e0d7fadbfdc8eaad4071e6d99698f460f9eae7ddd1b27e2d21028dbd10fa0d5a.pdf"Checks processor information in registryModifies Internet Explorer settingsSuspicious behavior: EnumeratesProcessesSuspicious use of FindShellTrayWindowSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F5336F26ED704CD5E592344717853290 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1AC4375B02753C86E37358D19083B6CC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1AC4375B02753C86E37358D19083B6CC --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=224108DB08174FAA85EF5257578513DD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=224108DB08174FAA85EF5257578513DD --renderer-client-id=4 --mojo-platform-channel-handle=2172 --allow-no-sandbox-job /prefetch:1
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=912F00EC03A34E246CC7D139295075D4 --mojo-platform-channel-handle=2440 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=879BDDDBEC7EA4229D2A2F57AFA7ACC9 --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=490B1E3FA712FF2F72E128E3447C4B56 --mojo-platform-channel-handle=2688 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3Suspicious behavior: EnumeratesProcessesSuspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
-
memory/1460-152-0x0000000000000000-mapping.dmp
-
memory/1740-130-0x0000000000000000-mapping.dmp
-
memory/2384-136-0x0000000000000000-mapping.dmp
-
memory/3324-154-0x0000000000000000-mapping.dmp
-
memory/4048-155-0x0000000000000000-mapping.dmp
-
memory/4064-149-0x0000000000000000-mapping.dmp
-
memory/4196-133-0x0000000000000000-mapping.dmp
-
memory/4512-131-0x0000000000000000-mapping.dmp
-
memory/4564-146-0x0000000000000000-mapping.dmp
-
memory/4916-141-0x0000000000000000-mapping.dmp