9b23ac3682a2849fef0df636b8cdff76f09b6edd8241a2a87918a97f7705a928

General

Target

92e7f06b1114fb53e9fe7257585d3f84_JaffaCakes118.pdf
Size

3KB
MD5

92e7f06b1114fb53e9fe7257585d3f84
SHA1

ae7e1699c607aa83574108f8274ff8488c4b2cec
SHA256

9b23ac3682a2849fef0df636b8cdff76f09b6edd8241a2a87918a97f7705a928
SHA512

e51460acc7c479b21ff789ede52c460fd93c5e18dff4f477590619608e99a29bc715f15bbaebe70aef1e9fa40ab00080a56015ca2eec184c0c5145daa884a033

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 20 IoCs

Processes:

AcroRd32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AcroRd32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AcroRd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	AcroRd32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4116 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4116 AcroRd32.exe
4116 AcroRd32.exe
4116 AcroRd32.exe
4116 AcroRd32.exe
4116 AcroRd32.exe
4116 AcroRd32.exe

pid	process
4116	AcroRd32.exe

pid	process
4116	AcroRd32.exe
4116	AcroRd32.exe
4116	AcroRd32.exe
4116	AcroRd32.exe
4116	AcroRd32.exe
4116	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4116 wrote to memory of 2668	4116	AcroRd32.exe	RdrCEF.exe
PID 4116 wrote to memory of 2668	4116	AcroRd32.exe	RdrCEF.exe
PID 4116 wrote to memory of 2668	4116	AcroRd32.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 3684	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe
PID 2668 wrote to memory of 4488	2668	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\92e7f06b1114fb53e9fe7257585d3f84_JaffaCakes118.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4DB00C83D610A515A2BBC86F852BDE32 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3684

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8FEF89BBC6EE486F603EB20E4D20C090 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8FEF89BBC6EE486F603EB20E4D20C090 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4488

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B33167ABF9A84E099A1BA1D3FF56F25 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1496

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C556710DA7209A570D11767B801FF1C8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C556710DA7209A570D11767B801FF1C8 --renderer-client-id=5 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job /prefetch:1
3⤵
PID:928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=301C5824135815A6D18E8F1E13359709 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3248

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EC51E6F784B73F34C779700763E522A --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
b541a74bf4ab4ee03ad6bd09552ccbaa

SHA1
1039248cec291ada19ca80934a41d4a03f3eb597

SHA256
453e693e2e346ca144cf53e1c70df99975ecdf2bf22816bcdb7074375e3b322d

SHA512
91b13bbbf9ab5581f14cf09b647b363230fc9e178efa694acd982145dd2fc8c11410c0b08d4895e23af71da26b82dd2074da7deef376ed2dba02b4ae51affa2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
ddd7fdb2d222727cacfc6e6b8cc05112

SHA1
7f12588cf2238e2b3286ef37910b9dc4373e19c6

SHA256
424f34694c690e1951ea9bb27a2829ecb65a8a0ce16af04458f93b699400bd19

SHA512
0a89b9a9a4cb981254a45f483d42c5c417b88ed8ee35a32a328ef10db0f8e26781dc9d2fc4ced2f3f64e33a9fc45ecc09c9e3b04011acbe353598609928f712b

Download Submit
memory/4116-32-0x000000000C570000-0x000000000C591000-memory.dmp

Filesize
132KB

Download
memory/4116-31-0x000000000C0C0000-0x000000000C36B000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads