77c736516453d05b3e79bcba60fe4311a67eb83b03e339c38dfb786bfeda8f91

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebut_25-03-28_Oficina Antifrau de Catalunya__INSTANCIA.pdf
Size

138KB
MD5

1c51fb95a1a4208a852fd3f6af97dc47
SHA1

3288265918fe15bcd88cd60f13c9ec4311d37d74
SHA256

77c736516453d05b3e79bcba60fe4311a67eb83b03e339c38dfb786bfeda8f91
SHA512

d16be4a31767e8149b31d335b50ba67141d2be11fff3b16c1fec4b9304e99ae13e8895375ffe4080c01d1b92d5a7cb390a58247dabd1763d7b800cf1789ad329
SSDEEP

1536:FITw+NZ5MIFVZPRt/xX1dZAsswFW5Nlq1aND3elVJTclX5dUi493Tc:8w0ZrrxXLwlq1aND3+Vun

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FullTrustNotifier.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCollabSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings\MuiCache	AdobeCollabSync.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2616	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 3904	2616	AcroRd32.exe	91
PID 2616 wrote to memory of 3904	2616	AcroRd32.exe	91
PID 2616 wrote to memory of 3904	2616	AcroRd32.exe	91
PID 3904 wrote to memory of 4640	3904	AdobeCollabSync.exe	92
PID 3904 wrote to memory of 4640	3904	AdobeCollabSync.exe	92
PID 3904 wrote to memory of 4640	3904	AdobeCollabSync.exe	92
PID 4640 wrote to memory of 2480	4640	AdobeCollabSync.exe	97
PID 4640 wrote to memory of 2480	4640	AdobeCollabSync.exe	97
PID 4640 wrote to memory of 2480	4640	AdobeCollabSync.exe	97
PID 2616 wrote to memory of 2232	2616	AcroRd32.exe	101
PID 2616 wrote to memory of 2232	2616	AcroRd32.exe	101
PID 2616 wrote to memory of 2232	2616	AcroRd32.exe	101
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 456	2232	RdrCEF.exe	102
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103
PID 2232 wrote to memory of 1788	2232	RdrCEF.exe	103

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rebut_25-03-28_Oficina Antifrau de Catalunya__INSTANCIA.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" -c --type=collab-renderer --proc=3904
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" GetChannelUri
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6DC1BC8E936B17B1E3EE7D658BE0FC7E --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BAC5A1D8E601AC6527A0E80FE79C9963 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BAC5A1D8E601AC6527A0E80FE79C9963 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=922BCB67232B43BAC633488F57BB351E --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F75A5D93F2E1D6BD7C4834588A766C86 --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1DC2F50001A337AF6F41A4A69CB093C --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A5AB36778FA299DF2B1A3A304361C8BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A5AB36778FA299DF2B1A3A304361C8BB --renderer-client-id=8 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5124
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5E30330F191370964EBBED7D35189D9A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5E30330F191370964EBBED7D35189D9A --renderer-client-id=10 --mojo-platform-channel-handle=2648 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
189a433d114e7f2f80a3fcc8b983f25c

SHA1
6e4b871da4fbdfed3c1d42e270ef935940abf341

SHA256
13547508a4766d6eb3d424e3cbe9ca16e8246a27688dca779ce9eb2d7337acca

SHA512
cabb7a3d18f8ff97f3f4303e727ebb5b0909ee7fc481c9b9e666f75fb5809075ee198a472ec63262ad9744403001729a98af5cc0691aa189f9b1a45e8cead134

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB

Filesize
24KB

MD5
4fe2b64a2631d0d6eb30b8f42b49bcf5

SHA1
10c931554e79c2f4280a65ef2ad57ff61a2429ec

SHA256
4901703febb24c665059d25ae6d0769c55051bcdc1b7a72b600252d4c3b0eca0

SHA512
8ad48178aa8d835e0c2028688e41f575e50e21b6b4b59161d08984c300911fda1a4614738bfa5557c3f2d254373a61497b491cbc7fb163afea2dbe08fcb67004

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
245950c48f668cf2fcb3c64778e64089

SHA1
3a5a14c820f58e35a3fc6f5de29669f0840587d8

SHA256
a027cf12f2055635a3020f08e0448b2f0314791260ccd25570426088c5b0e307

SHA512
4fc8448536663b551cc716d78715f06d4ed217fbdf755924f0b30aebbb6212798a61c6638f919d5c14bdb6998d6a12f0ca37281f3c7f484c1821fbfc98d4a24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
aebe0d2eb7a2077a55e57a955e62406a

SHA1
3f811b8148f12220f4b45699135e6d21c9847d8a

SHA256
87aa4c64348b534771f03919b5bdca09596e89f6e0cca0a992bb3d290ec4155a

SHA512
efa1b082925a4e478fcea74764bbacb91d43da8c01c4b360a34e6f7402af23f91c93b5e91c6266120e144b5300e8dae73a62a7b6d7c4328410128f6a72a7baed

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
96db2dd78c30aa95313549676d854de9

SHA1
21607f46e5b6cf5f87200ced8901beb6b9264e7b

SHA256
6fabf842ff18cfe5107b7edb0c8285310a94a92c076c244386d3dd175a73c516

SHA512
1cbb9c042d273feb5c6eb61d74c4dfea8c54c4cec5047929988b8e6b6eec3504d4260d2be3c3acb1f18f760f568a0e1d684aaf66a59f925229f6ee88a78dc212

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer

Filesize
92KB

MD5
11f270787c13ae1f237d6e17772b8de8

SHA1
9d75b55864ce85fdf64f35a13db1bddfdc4bb7a7

SHA256
bc5b02fc4f33c4c392cb24fa8663862369d9665a4c370c4f72bb912a4dd55fc0

SHA512
6c1a98997613c2b03a7f111941617e71ca751708fbfc347f42c9b92413edba31efd5be415c30a974db47839cc4a7c49c4d38dd05b86b5b6eaa30d7f49ddc2c32

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\resources\resource-18

Filesize
3.8MB

MD5
4d9219b464dca7164080b6ed9c4472e3

SHA1
ef4c464302e241a68cac9c979bb96381f0569eb9

SHA256
e5f8dc9a8a2068bb5d5ad2063bb74a30dffba9ef95b1e0655c9bde6f6588f97a

SHA512
5dba10636e49ee3a41468a8d014a5f6f483918c6962bf109910333f5a32cff9a30796a27aa55a053847bc650e5fd41373b23befb1c2ce1359a1b43099ceb6a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
dfa85369cd9f600d2736e3cc37f6574f

SHA1
9ad2bb35c8bca95f6887b5ec2b220ad7701c200a

SHA256
d2877bfc8907f83ee06a1e4d215a90d5768e0645dbf417f9ef7aa1e8ef1f65ad

SHA512
8c75c48184a1b69469afe57ec70b19882051f855fa49602ac12d0f47df74a0a710e67de4b38c372764f62c6840e608caf5d7d6de089e7c8540809e187926c04b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
1872b4356d7add9105d045c134298900

SHA1
ae221bcb21dcc1ac046cd7d4a66feab1461fc67a

SHA256
327a8f27b1bfbf2ab429094611d417bdd0cd16edfe40cf9f04f3854edcc77aa4

SHA512
38d6c22f27dc9d0bec7004d27ceb0013cc672dba7169fbd53476707f277be5cf484eef99354e7ed963223b0ff8c8afb4311f181b1d704e7986ab01cea034993c

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
7f31198b104185c1668cfe0c0475c573

SHA1
72038c82c35ff912277a759d6ea411393783d14d

SHA256
8934fdf03aeca75120cdfb0ed9e6b445091a4bd88a6aa89b61d39c32e3aba709

SHA512
f04f33132b23ff88c3e7272673aac59e1ac49515211e083b1c91d6e7894b53f20a0379865092f0ab768684d1cd71b463ef8f2b373b2dd25218bda9833749dc8f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
14KB

MD5
947f93fe0eed44767626846f28cfde05

SHA1
f6276d2a2b4a9d8a8e23c84019cd3961e9d60e88

SHA256
06a576fc14e995c437b26c0d150b4e84cd745e7cedfd972a84b42b51c842fc9b

SHA512
f97739eb0d22a99b06ef340aefb0d5a5b45b679d28accff3de2565166392c7d2fabaa33f945696f7d456ba2ef323f48e43eb26578f71c8b2e8ed32fb4dc69bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata

Filesize
5.7MB

MD5
d6d27b484e36fcdae2b5fa52d1eeb920

SHA1
885ada7df7ac5d3867f92b0336c9d7f563c2fe15

SHA256
771f9b2ffeda234df63a4da46b9215f387df8013b034e42bc2d9ecd306003485

SHA512
b8ab4b4cb3d0676a9e303c8c31de44b7e2873da91e315366eba7dd387713ba49b2134a155b276429e3a46afe2ccb9fd330970e3e8d0d7e271cafd3586d8b6608

Download Submit