Malware Analysis Report

2025-01-18 22:47

Sample ID 230521-z83rxsfd2s
Target 304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285
SHA256 304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285
Tags
pdf javascript metasploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285

Threat Level: Known bad

The file 304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285 was found to be: Known bad.

Malicious Activity Summary

pdf javascript metasploit

Metasploit family

PDF contains one or more embedded files

PDF contains JavaScript

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-21 21:24

Signatures

Metasploit family

metasploit

PDF contains JavaScript

pdf javascript

PDF contains one or more embedded files

pdf

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-21 21:24

Reported

2023-05-21 21:26

Platform

win7-20230220-en

Max time kernel

150s

Max time network

31s

Command Line

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285.pdf"

Signatures

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285.pdf"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-21 21:24

Reported

2023-05-21 21:26

Platform

win10v2004-20230220-en

Max time kernel

141s

Max time network

131s

Command Line

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285.pdf"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000026ab876c5b45d901fac76a6f5b45d9019b3eaa705b45d90114000000 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 2636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3468 wrote to memory of 2636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3468 wrote to memory of 2636 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4276 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2636 wrote to memory of 4052 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\304a28d5e9010331c8f183b5932d0420410cf5e749f84cdd02d9992abd397285.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=54F53D1F148F2D959F166461B49B9930 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=54F53D1F148F2D959F166461B49B9930 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B08C8747674A06DC8BC2D03DA6BC36E9 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=86A18CFAB371B3349ACEAB64A5B79574 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=86A18CFAB371B3349ACEAB64A5B79574 --renderer-client-id=4 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=661FF006013A5B0AAB559F022A9249DD --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=543ABDC165D87E2E0A4284FD456EAD0A --mojo-platform-channel-handle=2672 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E04A18DEC6CB2AE84A840F6FCD4035D --mojo-platform-channel-handle=2680 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\form.pdf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 135.112.223.173.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 123.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.189.173.15:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 9361cc0c03a9e42a528a040dc75b3f78
SHA1 9ec68f162aeeeb9e4a6e08a8bc46f54937aaac5f
SHA256 e5af803043ef49db37e54c2389692a9e5974f33500912dbcf6927f11fdccce39
SHA512 6a8094a2cf8ccc67bc5e41900013bebdb7f47e01ff4dd6e9feeafb86cfd79e2230cfc8227d6f6694c8ff18a87d861364627f9891e37db7df8ab157b75d534aad

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 2c22c779b4af9db91750407fdb58ae11
SHA1 28be3bf0b159d0939a8abe053e5697be325009b2
SHA256 cbbe3cf1b012fa48017d0378fe73c2b9edbcd839eb6c0a9bde30892853827583
SHA512 1d7be79f0006f9b40229fd77e1414d9576fe489b252c0b0f572898d98e46eb7a9ec5fda0f318594f2126694dcbee2ddaf15fc6e5f8798a8995729210e20c188e