hxxps://monitoring[.]electrificationtools[.]abb[.]com/assets/roboto-mono-latin-wght-normal-DGRqvGGI[.]woff2

Analysis

max time kernel
60s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://monitoring.electrificationtools.abb.com/assets/roboto-mono-latin-wght-normal-DGRqvGGI.woff2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621047283522919"	chrome.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\woff2_auto_file\shell\Read\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\woff2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\woff2_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\woff2_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.woff2\ = "woff2_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.woff2	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\woff2_auto_file	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4816	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4484	AcroRd32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4816	OpenWith.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe
4484	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 1316	4252	chrome.exe	83
PID 4252 wrote to memory of 1316	4252	chrome.exe	83
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 3764	4252	chrome.exe	84
PID 4252 wrote to memory of 2536	4252	chrome.exe	85
PID 4252 wrote to memory of 2536	4252	chrome.exe	85
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86
PID 4252 wrote to memory of 2152	4252	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://monitoring.electrificationtools.abb.com/assets/roboto-mono-latin-wght-normal-DGRqvGGI.woff2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272bab58,0x7ff9272bab68,0x7ff9272bab78
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:2
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 --field-trial-handle=1888,i,13927419151915195085,13586058142905143095,131072 /prefetch:8
  2⤵
  PID:1988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4816
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\roboto-mono-latin-wght-normal-DGRqvGGI.woff2"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4392
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BEA96E774A95FE7843EE8EE9288133EC --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:752
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=63BC2E823BEE33F04EC0E17ED5591E7E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=63BC2E823BEE33F04EC0E17ED5591E7E --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CCE9FEE9DB6316855C51F258986A4D7E --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DDD30888DDACA0DF9048C3E39028A0B1 --mojo-platform-channel-handle=1928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B32D2D0E00496850B0D62802598490A2 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3352
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7A333A954C90A4CC3F65BBEF84C70E3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7A333A954C90A4CC3F65BBEF84C70E3E --renderer-client-id=8 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
773224e41e9cc90cd989c6486dbff311

SHA1
46eeae9e9949b3bc0e47eecb37a94f621fa57fa6

SHA256
fef964c8ccaac58f60fc33e6e000f1b2b709ca4490c255abf927458ac630e398

SHA512
4a9b02587231331c543d3df957b01f8a75684119e5c4f92955546a5a7459f775e6cfabd5de61e1eba8021b90cfdc60efddbdc7267b7e32c3e0cc7c43052bf83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
fe4374ab73b6975ecbc411b14e0ec005

SHA1
c4b59a332afcdb448c33469c84ea011b875a8447

SHA256
e45e1cc5a514eb8567e181212df477b9e0d4adaaa9cda27c90c528a1f7dbf1ad

SHA512
0661ff40b3ae9d2d85a86ab1baf1f5bd1514e258453f4a2fc6520471b72aa6083d5e2a82afbb6eb13c0a11a88cc0fe6297644a7d8e60643a93a34f65e3ea882a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
306f507e7e47b854cc7feb8e5e91c4dd

SHA1
25ab7432a0e724ff5581f5cf8c52f61e40b6ac25

SHA256
14ff86812dd6c9463245e0edc908d1a037aeaafbd63f6ab6818fe1f2d3405f2d

SHA512
d8a5f6e14db4925c99831daaf43a00c4191dcf29ae6c3dc6a6c6d9dc70efc6e3c34b5c2849794ab5a41196bd7c565c4725e0025db3ff3b57fa697225c973003e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
892a866233a3a239d2ac5dcf22134828

SHA1
0f0371284cca7f401cb8e8e49c38baf95476cfa0

SHA256
944c186d47d16f77fc1f166c79f53cbd07c7bcbc151268c046e45e86d41ab5bf

SHA512
39af9084fcafe5e5a3514503613c7d3c8a3a4b913105f73599e927965920e7bf3149e74486b4a2890bd320b61be29e1b16388d0a63b4c20167e2f46f98edc374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
650cd8273d802994b370d714446c5496

SHA1
ff0b1e88d7ac05ee5d66600727e93e85fe2ab8e2

SHA256
25f3d45b63ad43344362b246d1c8138b45255f76cacf9ec97ba00f464ad54715

SHA512
4efd38ba9fda1590d506e3c3639e590db64af6de0c162d0cfe64c2f6e3207da373f765d4136ad46cca8708e96311ae63867a119f4d094b97cee89231abb6a2bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57acca.TMP

Filesize
94KB

MD5
b16e6591d30188bd0070320c6176768f

SHA1
e899e639459f7c1797e85388303a7236700a5ad2

SHA256
c949e530903bcaff838ab46edc6b4493a7f8641c513d3b56744c5991d480de5a

SHA512
a12823f22052a9cb7d35f84a1ba6f8dd1632b47f72c114ea774e13660fb5a1db2598b42c24de31a85b99ac0dcfab0233d2e2ec00bd7b85f2c4ff48331ade2ee1

Download Submit
C:\Users\Admin\Downloads\roboto-mono-latin-wght-normal-DGRqvGGI.woff2

Filesize
32KB

MD5
1756e80858412bdcfbdbcb28acfd98c7

SHA1
6915043546ef69661d294911b08fa42c5dc325ae

SHA256
47388fbc1a8fbcd4fbd9a1b184144f5e87239866538593ea87cd496a6d0f61c5

SHA512
f36b5dac7fcd1828777d75247cb565999f88a7a91aac11e74a2f6fe9a106e98713d1db5893f2973b77ea59d546a3cc79bbf0820aa8b070caabbe52c33c8f26c0

Download Submit