31e2ac1d5595bba0ab7edbb7275f3eb35e4f68c640ae7bb8ec35401199efb55c

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W-8BEN-E Entities.pdf
Size

307KB
MD5

e6131315346a213ee805a4f8ed881770
SHA1

483153589d2dfa11fd4ca1c314cb8ba57dfc2986
SHA256

d67fc5abae5af11df5d6168a60f7a7e7f27044efa63f660cb76c0e47a241ef6e
SHA512

3acd63de95e25384332939353593bf44fe7bb6e3fed9e2abb3262cc9cf426845069311e321c22cdeaa497a3c5c896932818895ee76e261a9c298912c018fcf67
SSDEEP

3072:HoCqxzVjAIZVa8t8Qfk6V61eK4Ib4Z63n1qsmqU+BIjzrYbqvGKjgh96AXTdz:bszVjAAainfkmfLXkGvFjgD6mTN

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AdobeCollabSync.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeAcroRd32.exeAdobeCollabSync.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeFullTrustNotifier.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

AdobeCollabSync.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache AdobeCollabSync.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe
4848	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4848 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4848 AcroRd32.exe
4848 AcroRd32.exe
4848 AcroRd32.exe
4848 AcroRd32.exe
4848 AcroRd32.exe
4848 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeAdobeCollabSync.exeRdrCEF.exe

description	pid	process	target process
PID 4848 wrote to memory of 464	4848	AcroRd32.exe	AdobeCollabSync.exe
PID 4848 wrote to memory of 464	4848	AcroRd32.exe	AdobeCollabSync.exe
PID 4848 wrote to memory of 464	4848	AcroRd32.exe	AdobeCollabSync.exe
PID 464 wrote to memory of 1384	464	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 464 wrote to memory of 1384	464	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 464 wrote to memory of 1384	464	AdobeCollabSync.exe	AdobeCollabSync.exe
PID 4848 wrote to memory of 3504	4848	AcroRd32.exe	RdrCEF.exe
PID 4848 wrote to memory of 3504	4848	AcroRd32.exe	RdrCEF.exe
PID 4848 wrote to memory of 3504	4848	AcroRd32.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 2408	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe
PID 3504 wrote to memory of 848	3504	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\W-8BEN-E Entities.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=464
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1384
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:1188
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=935DFDC0EFC932CD75753C0B07BC51AA --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24BD50A521E4D139F006CB7C877A9D44 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24BD50A521E4D139F006CB7C877A9D44 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0656085D9293D5D3B04996958C2A9154 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:372
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B26BAEDC43FF6A8B4DE070AC29F4A71B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B26BAEDC43FF6A8B4DE070AC29F4A71B --renderer-client-id=5 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=135B341854ABF6811C0FDF353018C2FE --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D327EFD09ABF93E818D0B32C73D4487 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3812,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
f24371fb076320473841c4d7b4c90003

SHA1
c306a5081b5c86187b852d8c3dc17cde90d208c9

SHA256
8c3543498deb0508a3e4c4304b7288e190a39584d5ac3f7cc43511c6c3abea52

SHA512
83d04bf82d5e578d7b8676459393cad61fc0e1fd772c6b10b620a24d5eb892a8c7645e14b18b2d03f62bafc0b055bcaf494cf2005c86b07acf4a05e3177500db

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
f1992bef72b18a0411b366f6f4941acf

SHA1
4810209e085cfbd5b6674bd9bc47b5567b24c286

SHA256
7c520c5b7757914776415c03e6bc3134b0ed0492776f6a9a1569a82e8009b4a7

SHA512
3d26812c13aa9dfb6f76c3c0ea33153a62844af1f79db4ffbd594b93473351a5f51afb4ee835cc9be637bcb8acdfc5e61b1464cf34770b60be3d25953be95b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
67987375772d49f0e9b1c36f30103fac

SHA1
6bc547d0a5316e2d4c3dd40743492c4df1b5ebe1

SHA256
f69ce590cea7a20e972f473ac18aea88660fbd10a7e22aa86412c52fdd9ff1b6

SHA512
ff0f70298c1746d8530fa24c106a4acb4b62dedc2783a928019859dd5d4575cab66a428af075d69486fb532b882b55a349da9174f5289e1a6851fe408229939f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
4761e9e5022ad59232d3ff1d6365fc28

SHA1
2fbb4de0513928aaf315dba85359cc2e475f90d3

SHA256
52089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c

SHA512
3cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
d5fdfaf5e0813ba512c3d6785be9fa41

SHA1
723982f8b65118b05a8c3fab44c20d144424fe06

SHA256
75ef8323eab42ba6d5fbfd2e88ff74f5a2a57ab5aa5f1155411d490f0fd686af

SHA512
d7c719947c14f66d817cbba9ee74f8f5855bd769abd3d5c66df3af187ea0480d576f0f0608b1e0f2e7d9304d3a24293be1d10a3676deed27274eb895248e8570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
77b93fac9dea365b49c0da2ed8d9d428

SHA1
06ff9c49a6d0c1129c152894aefe4739b5066862

SHA256
a78a80bb8a5ae53f6544321413b93fa5235a500d1707614f2a477fbb0eca7f18

SHA512
d5c21e4f08e5a0de394134950a5c396111fe7aec580c18e6f1ba031b1c39f2ebba9a36a6e578fcf26b8f2e1f96de563b2b2865292baaac8149ce57bd53f079c7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
595efd5df74d07c41cc8365caab3e620

SHA1
e6da8e54d95d243ce9cbe8a07ab78e2f54048a6e

SHA256
03ccddc4bef22b39dd0b055de4db336290ee665f23b8bfcf6a6a7e4c5af16aeb

SHA512
60e19c46ba2fbf677af237fbaa0f07348e77e649f6d11e1c013d797b3f49549f0ec80095c8ff7c90b3c7c82a0a70bf5f65d1102986221ecc726ab30f2d4fc92f

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
428e45fc06243da01fe1f0a1d13fca94

SHA1
5eef2ba26fca26fa7907b80560943a061750c45f

SHA256
7fa4b552073823a464aa7812481a263c625a68024a12dac1f2294f1872af9afd

SHA512
5a92c521a7a9ff007193f37fe71c4f4405df38abd24f307b6f9fa7dc127f793957f7ad51e4b2e98d973a2f451af73982eac3ceacc182c7cf345e4b4c8d85312b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
a1704864c4cf60bee94efcf0bc41820d

SHA1
397b15d6f4e34164f08ee1fb560b32bf02e57181

SHA256
7a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06

SHA512
bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc

Download Submit