Overview
overview
6Static
static
6W8 or Cert...ms.pdf
windows7-x64
4W8 or Cert...ms.pdf
windows10-2004-x64
3Certificat...us.pdf
windows7-x64
3Certificat...us.pdf
windows10-2004-x64
3W-8BEN Ind...ls.pdf
windows7-x64
3W-8BEN Ind...ls.pdf
windows10-2004-x64
3W-8BEN-E Entities.pdf
windows7-x64
3W-8BEN-E Entities.pdf
windows10-2004-x64
3W-8ECI Inc...ss.pdf
windows7-x64
3W-8ECI Inc...ss.pdf
windows10-2004-x64
3W-8EXP Tax Exempt.pdf
windows7-x64
3W-8EXP Tax Exempt.pdf
windows10-2004-x64
3W-8IMY For...ip.pdf
windows7-x64
3W-8IMY For...ip.pdf
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 23:13
Behavioral task
behavioral1
Sample
W8 or Certificate of Non-US Status Forms.pdf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
W8 or Certificate of Non-US Status Forms.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Certificate of Non-US Status.pdf
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Certificate of Non-US Status.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
W-8BEN Individuals.pdf
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
W-8BEN Individuals.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
W-8BEN-E Entities.pdf
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
W-8BEN-E Entities.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
W-8ECI Income connected with trade and business.pdf
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
W-8ECI Income connected with trade and business.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
W-8EXP Tax Exempt.pdf
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
W-8EXP Tax Exempt.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
W-8IMY Foreign Partnership.pdf
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
W-8IMY Foreign Partnership.pdf
Resource
win10v2004-20240802-en
General
-
Target
W-8EXP Tax Exempt.pdf
-
Size
123KB
-
MD5
6277a14af3ddadc765720bf6c0b0cfc6
-
SHA1
437cb905bb73b67b1e230343ae32923da3b09674
-
SHA256
c3d48afbd34a08aeb81cee280e1645a84bc06f0351c20704f7dd98694d736475
-
SHA512
eb3077f74e09a025ceb905ddc4807de5a5836ab6fa141a3e7b8cce13d338534e84077884824a95255901789df005dae3cf34dc2bed693ab9bee5ca10d4022a67
-
SSDEEP
3072:3nHwIBqfeSiim8BeKC7/tfxjPhaFpxovHKaC:dqGS3sAFMvHpC
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AdobeCollabSync.exeRdrCEF.exeFullTrustNotifier.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeAcroRd32.exeAdobeCollabSync.exeRdrCEF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeCollabSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FullTrustNotifier.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeCollabSync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
AdobeCollabSync.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
AcroRd32.exepid process 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1564 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe 1564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeAdobeCollabSync.exeRdrCEF.exedescription pid process target process PID 1564 wrote to memory of 2292 1564 AcroRd32.exe AdobeCollabSync.exe PID 1564 wrote to memory of 2292 1564 AcroRd32.exe AdobeCollabSync.exe PID 1564 wrote to memory of 2292 1564 AcroRd32.exe AdobeCollabSync.exe PID 2292 wrote to memory of 4864 2292 AdobeCollabSync.exe AdobeCollabSync.exe PID 2292 wrote to memory of 4864 2292 AdobeCollabSync.exe AdobeCollabSync.exe PID 2292 wrote to memory of 4864 2292 AdobeCollabSync.exe AdobeCollabSync.exe PID 1564 wrote to memory of 4860 1564 AcroRd32.exe RdrCEF.exe PID 1564 wrote to memory of 4860 1564 AcroRd32.exe RdrCEF.exe PID 1564 wrote to memory of 4860 1564 AcroRd32.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 2832 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe PID 4860 wrote to memory of 952 4860 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W-8EXP Tax Exempt.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=22923⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4864 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri4⤵
- System Location Discovery: System Language Discovery
PID:4916 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=84581F322BF9DDCB839F62A1ABA7C1F1 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8920B0823966789AEE869E75702FB56B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8920B0823966789AEE869E75702FB56B --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:952 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3DA522406910C41D6EDF5835A51FA241 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=70FE1F3BE5F1974A0A52B84339F7EBA9 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FB5829A341F2B5EAA314BBF824BA9074 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24DFD9F5ACC095922A6D969386599722 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24DFD9F5ACC095922A6D969386599722 --renderer-client-id=7 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD59a265ce8e7d6fe868399f07ecf09cec0
SHA1942d3f71d7b9dc419ed221e57664a3bf6bf85ced
SHA256b94528b1dfb216ab189741c2dca94c6de21a1e58eca38fe59ca0c1b62d65b26d
SHA51274b574c7b8b42cbf31300bcc106c752e3b5bf63a0ab1a89cd7a7552874a0d3fd67c7817cec0151e6ac12005237de52331e3f2f7abc3b2b0dfc8828804e9cebbb
-
Filesize
92KB
MD59cf5252bddf6052adfc673eda2e22fc5
SHA1aee4ad65453c43c3d48aaed36b58f86572065d49
SHA25657b51820254b5e69284407274750367b86bd58e0f6719455147e04b651b4696d
SHA512d67a793c144db196e885db96abb0e13d900430b13cb311d169a29ec7617199a799e9d8121176e8c4df942eb0f1e351055a0eab9490b4fc4e984a101bb111d7df
-
Filesize
92KB
MD5245950c48f668cf2fcb3c64778e64089
SHA13a5a14c820f58e35a3fc6f5de29669f0840587d8
SHA256a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307
SHA5124fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d
-
Filesize
92KB
MD5aebe0d2eb7a2077a55e57a955e62406a
SHA13f811b8148f12220f4b45699135e6d21c9847d8a
SHA25687aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a
SHA512efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed
-
Filesize
92KB
MD5f348a94281f7b522ab5c3bedd3a5c22b
SHA1473fea0883eb101ab577c88ad11a69edce0b2f83
SHA2564369ec7dbb6e479915b93a21d5bf23e5a2cb4ad974d7ef1d7baf32efbdd1f637
SHA5125508b464e74f05c7b1b5acbe582ec72240c437e17667b17aec763e7bf0d903310577f83683a8d14d5dcef57efd38b2ab6fa686c6fbda3e517e39c39bb6cc3996
-
Filesize
3.6MB
MD54761e9e5022ad59232d3ff1d6365fc28
SHA12fbb4de0513928aaf315dba85359cc2e475f90d3
SHA25652089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c
SHA5123cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5d5fdfaf5e0813ba512c3d6785be9fa41
SHA1723982f8b65118b05a8c3fab44c20d144424fe06
SHA25675ef8323eab42ba6d5fbfd2e88ff74f5a2a57ab5aa5f1155411d490f0fd686af
SHA512d7c719947c14f66d817cbba9ee74f8f5855bd769abd3d5c66df3af187ea0480d576f0f0608b1e0f2e7d9304d3a24293be1d10a3676deed27274eb895248e8570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD5924666d0d0d0430221d2f4c46c67ea92
SHA1bcbc20a480123bae418bd13cdae965a778c298a2
SHA2564fb3e380e49e1b7b0750e9c6f210c6c1924a6e63b3076892ed0e7973b41b8c23
SHA512f40cec225b5ff396b114a2f93ef2c79207668216a6d7b4c3d4343a4a9fd13e93638e5e3331a9d609395b9b254404aa9b4222dbf926061059a80ec156974f9b44
-
Filesize
12KB
MD52fc5f015a6845543996d8d02cdd17a80
SHA1d7de7d5b763943d011f6fbf0dbc677ff38541ade
SHA2563c95ab9bc66fb9266d5caafc582b97201569af9e01583b46e8abc044d0a21385
SHA51236469ad7ea67f1f8c9a20cf28b6f0b28a852c53fdbfc2a8349f07190d81a33033deb81d6e88175af9eb499257353ee3cada118de7b55807d7cd277e3a23137af
-
Filesize
12KB
MD56475e399905aef8c31a3db9368974332
SHA1363e39b75aebb20b7490ac7d908a1dcf3b9b145d
SHA256be47e3de2340a13a9013320a188a91e494270c92f54445f34898c938b66b6afa
SHA512ec76db9e16a93689cb45bb51bfb40af448184a543ce55cbeea465833ab0fcf780b6385d667d0c612f6b87eaee5d8ad54955d24aafb7027d5ee689504cd55b402
-
Filesize
14KB
MD5947f93fe0eed44767626846f28cfde05
SHA1f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88
SHA25606a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b
SHA512f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9
-
Filesize
5.4MB
MD5a1704864c4cf60bee94efcf0bc41820d
SHA1397b15d6f4e34164f08ee1fb560b32bf02e57181
SHA2567a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06
SHA512bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc