fd8b2fb37d0f146fef98dd7b6079fe40a4e04879e247f4a37ef12443ccf6c2b3

General

Target

RevoUninstaller_Portable/Revo Uninstaller Help.pdf
Size

1.4MB
MD5

7c770b8371e21ba771f108549941b063
SHA1

44e44e7a8100c0540572cf8314dd1f39211f1134
SHA256

47b002d89da453eb352b176d63e08960ea3e3aa3d7069c8a5e8872621568ac87
SHA512

96691912f5f7dc1eb7e851e8ea6fcdac82d6c92740a2accf0f1a01a4f9f617140fe7e77704e41e918286564606e6065307fdbdf2a6f1ad384b1cfc7cfd4c5b81
SSDEEP

24576:60eF1JSdt+cVqoIQC7ZiBI2cj2MWY8kayZpN5h4Ia4pSyNVzCc8pt:YF1JSd7C712JHinZ75G/DGdWt

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3528 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

3528 AcroRd32.exe
3528 AcroRd32.exe
3528 AcroRd32.exe
3528 AcroRd32.exe

pid	process
3528	AcroRd32.exe

pid	process
3528	AcroRd32.exe
3528	AcroRd32.exe
3528	AcroRd32.exe
3528	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3528 wrote to memory of 1488	3528	AcroRd32.exe	RdrCEF.exe
PID 3528 wrote to memory of 1488	3528	AcroRd32.exe	RdrCEF.exe
PID 3528 wrote to memory of 1488	3528	AcroRd32.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 1216	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe
PID 1488 wrote to memory of 4168	1488	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RevoUninstaller_Portable\Revo Uninstaller Help.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5D1E8DBC852101F644E9C399EE2E438 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3C5C47D7D52C1819F14CCAD16FC8C5D3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3C5C47D7D52C1819F14CCAD16FC8C5D3 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A7F1194C270645716BF47EEE73D7DB4C --mojo-platform-channel-handle=2152 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3FD14A174984859A38A9854ED9402961 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2584

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=ACF48C92D5B8079C2675BA9CB138BED0 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1E31FCE1D5E764720A808D079816392B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1E31FCE1D5E764720A808D079816392B --renderer-client-id=7 --mojo-platform-channel-handle=2156 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
9de70bfa96a6c1c756b8dcea41fc8622

SHA1
ec3653a33b29949a6361e5caf7a78186b53c1693

SHA256
4727638ae45c7999e86a23ae04a9b6d96abbdd5938c4dc15310de4ffbc8d4199

SHA512
526effcd20fbd593007986d6c12f6e85bda41d67a2ee9f0d0b3aa88711a5938bc427e5f3648aac788c31e3760ddd0793788c1fe5999d9974d083d60749a62a69

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
94cb975f42edafe7d10d3b32c2fa0720

SHA1
06d8f8b8366989c20216d6664d4b159f61563fdf

SHA256
701bb25d41b4396a956ede447e3002433c0a2826812a204d3e4e7d645b59e8ed

SHA512
fd52234d15d48454424869d3245e9f8a8758ea4c275dd5ae410bfb4258f07ca4af177428de753868be410751fdb2521f79be8795cf2353007161ff84f9419c16

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads