a1ab2444e344b62b37054748a0b1355f0c5e48bd710f2628ebaedcb178292970

Resubmissions

22-08-2024 02:35

240822-c2575svalf 4

22-08-2024 02:31

240822-czs5ssxgpn 5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PHISHING EMAIL SCAM ALERT - Midea 2024.pdf
Size

389KB
MD5

00cd3cf63c441547a5db94f99b53087a
SHA1

e8f679f644a53773adedb049a7d5f6024b3b52c8
SHA256

a1ab2444e344b62b37054748a0b1355f0c5e48bd710f2628ebaedcb178292970
SHA512

b45dda676009257eb3f97ea3773fa3921869b7438e7aabee72bac236f3d6dfa2efc5cde5f0ecfb2a9c23576d2dd9304b5f0c16f3e32050b4c9309f05ed3036f2
SSDEEP

12288:edMznsHW8PsYHZtcBJmRgl5h60xs+FGyG5rez:edQ2yJugZ6nF3sz

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
336	msedge.exe
336	msedge.exe
4776	msedge.exe
4776	msedge.exe
1784	identity_helper.exe
1784	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3908	AcroRd32.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe
3908	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2384	3908	AcroRd32.exe	89
PID 3908 wrote to memory of 2384	3908	AcroRd32.exe	89
PID 3908 wrote to memory of 2384	3908	AcroRd32.exe	89
PID 2384 wrote to memory of 1924	2384	AdobeCollabSync.exe	90
PID 2384 wrote to memory of 1924	2384	AdobeCollabSync.exe	90
PID 2384 wrote to memory of 1924	2384	AdobeCollabSync.exe	90
PID 1924 wrote to memory of 1644	1924	AdobeCollabSync.exe	96
PID 1924 wrote to memory of 1644	1924	AdobeCollabSync.exe	96
PID 1924 wrote to memory of 1644	1924	AdobeCollabSync.exe	96
PID 3908 wrote to memory of 4776	3908	AcroRd32.exe	112
PID 3908 wrote to memory of 4776	3908	AcroRd32.exe	112
PID 4776 wrote to memory of 5100	4776	msedge.exe	113
PID 4776 wrote to memory of 5100	4776	msedge.exe	113
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 2532	4776	msedge.exe	114
PID 4776 wrote to memory of 336	4776	msedge.exe	115
PID 4776 wrote to memory of 336	4776	msedge.exe	115
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116
PID 4776 wrote to memory of 4252	4776	msedge.exe	116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PHISHING EMAIL SCAM ALERT - Midea 2024.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=2384
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cgi1.adobe.com/special/acrobat/pluginfinder/pluginfinder.cgi?type=LangPkg&name=Extd&os=Win&vers=19.0&
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffaf3ff46f8,0x7ffaf3ff4708,0x7ffaf3ff4718
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:2532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:3904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
    3⤵
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
    3⤵
    PID:1112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4328737095483151075,1547598673866449821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
    3⤵
    PID:4244
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=91985A55DB014EF98A8A1312B245ED64 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DE1C8DAF5137509F3863188FC58BCAED --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DE1C8DAF5137509F3863188FC58BCAED --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4B17D7745195015268CFFB3F89456FA --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5248
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=032AA1FAC04E2ECC6EDEB81E1EEDF036 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=032AA1FAC04E2ECC6EDEB81E1EEDF036 --renderer-client-id=5 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5356
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8579FFC3BE185108F02E2042A862C98A --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58F2F9B10EB3568164084199ADE4ED29 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
94ecfc62abd157da90a7578f459dd6ec

SHA1
a1bfb189745927624adae711a74e65f9c429ccd9

SHA256
79fe319f77c3eb519d9dca38ece77d39f8525ceabff2e74924ba7ee1fa81d24e

SHA512
4d1e46ebd30de13c1a42fc8b47e4120413b7bbf43759542f48291ccb6c44ebf0dbc5a266333f2a4d105d670faab7c21033c6b7c3d00ed75674a46f873dd464bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
4baf5276412b781eb5eb2cc10f7e3393

SHA1
1639ecbba476d4e5c0894bb8981c2199dc2f435f

SHA256
a22c2f03fe73cc2bb6b22b6637b016a177e7d3bfba7c2d5903a6b7bfe4ec6636

SHA512
959d09900caa6362fdcabc65b7c17c7e3a9eeb2437366fe0e5c3beed4618da47f2b02a35f7b60a82ac35e8aa9d18fabdc9810a9fba134a664a78ec3a5c89ac6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
70432a38dcae2a04a0f00b7f61d3a22b

SHA1
5f89e032c82c5d35cd90ece4bc968c14c35dcc67

SHA256
a9b124431f76abcb1c70071593088593355003913c45d3f18e85819a8be98fbd

SHA512
8775c623d6425831b9a92dd87f746528d75717986f32817f3b6f91950b9cf1a19f0bb8522e5a191a13d3bc517b84571cdffa7d0c80edbe1117e5d2d09e021f6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.6MB

MD5
4761e9e5022ad59232d3ff1d6365fc28

SHA1
2fbb4de0513928aaf315dba85359cc2e475f90d3

SHA256
52089e103b099774a479dc435d5902b82c85a458522d9ea52657c3011405c58c

SHA512
3cc9497e99bf308b2f90ba2d45bb36f8b765fc184d457d06f63fcf0f4d74fc55d4a450878d1ca713fa6f9b70850e96c6b5fd3af9e84e3dde7e597f520b0d5f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
f70fada16fcf34c0acccda8cb7e88286

SHA1
2325a7869daf04d136a412504969fa3da50eec14

SHA256
01b0fd05665506b16da0272b535a880dac1d7971c14ffb09677689a4acf3a1a5

SHA512
c47a5e0820d02ac5b4e5a432bfc6da3bb6355208f2ce9a0b02ec28c50abddac4bbf20c9a36dafa250b668dc51a2413bbc5f29cb13c5a48e8e0fb0e9d5314c2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
22403cc98ce29f89e8d00c35be6350b1

SHA1
a6112ba740300a5768a047dc1de95995905a9a5c

SHA256
09036785bd69cbd26dfa023035d27f47f6ab1302d5d2af8874b25b50224497ba

SHA512
a25e370eed66f5d8f0ad1f243ff50ecee4922b8a72e4f8a4d912d496cc2c24698d7c31a21df73556dcdfa572444202b2e5494700eb4747512bdddfe5ad18d79b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
13b5ab9ae1839f4862d3750f042a18b7

SHA1
5a8746388622e7beb912ebc701e69f88d3390e21

SHA256
2d8ca145bab992a85fa847a1e1b4d571ae666de92baf69ed6f77f5589951eae8

SHA512
4674ed69628abc2d35489f1874215222e4bfb10cc988c2745e2efb9cc59c37de8a0da288cca303f9596c5077e1f66e96d960aef57e3b0880f79a7aace9e66c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d93f852d47be9a3cea7428d49dc59389

SHA1
8c4a2b54019e1a47b60d351f7afe76326760b3f5

SHA256
3dfaedcf346b52c1ee3a428d6b72f4444609aa26a7c2d09f7d1fbf2a9d2a9f4e

SHA512
98326ec46f2166b8d69bf489d1362c51af5b92699aa67474e01d01cb2cebed28e064e0fe444392f951311ccbffc8dadbe313c2fdb331e231fd1a72bb312ff106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13122d037edfd18469b0bc1ae3df0020

SHA1
c0c4901b9db7b070fd5af06612d76d890f93d843

SHA256
143de41de7ae2f855f9e1aefa2f3e0e723349f63b6955a945a3ae249bd10cac0

SHA512
497497b1a4055c711e5eff6e7af48671e45167566706890462876c4c7f79b144c92fa76155d18ace1673d0ee92f01aa945f2292b1de70e15679133b2c49edb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f7bbd54b7f511c687e380ad3b73a9c6

SHA1
94fbc239c0ccf28d55338ba52a562a689e1ad531

SHA256
e23dbcccfc50f1581231c70e6257f6e8b15c6547285f31eee3a9209cadd97617

SHA512
63c76e705a2200eb744cac454f46066fe2a90961e611e6f8d0079d49fa919f6d6eb68302afc8a1edba215f9dcd6b38f6f8a272317d6ecd146844406f64e0168f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.4MB

MD5
a1704864c4cf60bee94efcf0bc41820d

SHA1
397b15d6f4e34164f08ee1fb560b32bf02e57181

SHA256
7a969b1616fe584ef8c6fa03258b43e43785001bb2e2effc86848ffa2aae7d06

SHA512
bd96aa47c4d2d83af91cff0a838979729ac93913ca16132ebd5e795292daca28a298407e9fe439b365878c12ef13c64e6257caf5efbb8fe84010bd626eccc2cc

Download Submit