Loading ...

Play interactive tourEdit tour

Analysis Report https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf

Overview

General Information

Sample URL:https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf
Analysis ID:282536

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6892 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 6932 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • AcroRd32.exe (PID: 5620 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\download\Joint_Statement_on_COVID-19_Prevention.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 4488 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\download\Joint_Statement_on_COVID-19_Prevention.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • RdrCEF.exe (PID: 1548 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6664 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=16228068459503750942 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16228068459503750942 --renderer-client-id=2 --mojo-platform-channel-handle=1696 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 1452 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=15250631444377691931 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6556 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1281411786432699177 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1281411786432699177 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 7088 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9016934769419892692 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9016934769419892692 --renderer-client-id=5 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/)5)
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/1.0/N
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crll
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crlq
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/;
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/0
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/I
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr2
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: wget.exe, 00000002.00000003.203310020.0000000002D24000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr2om)
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crtt
Source: AcroRd32.exe, 00000004.00000002.1108236871.000000000B94A000.00000004.00000001.sdmpString found in binary or memory: http://www.a.com/go/ipmrhprd.
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#N
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000004.00000002.1108198671.000000000B92B000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#j
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000004.00000002.1108039211.000000000B88D000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000004.00000002.1108236871.000000000B94A000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comMicrosoft
Source: AcroRd32.exe, 00000004.00000002.1108236871.000000000B94A000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000004.00000002.1108236871.000000000B94A000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/:
Source: AcroRd32.exe, 00000004.00000002.1106522860.000000000B4F2000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000004.00000002.1106522860.000000000B4F2000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/F
Source: AcroRd32.exe, 00000004.00000002.1106522860.000000000B4F2000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/P
Source: AcroRd32.exe, 00000004.00000002.1106522860.000000000B4F2000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/itH
Source: AcroRd32.exe, 00000004.00000002.1106522860.000000000B4F2000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/nt
Source: AcroRd32.exe, 00000004.00000002.1108460942.000000000BA67000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000004.00000002.1108460942.000000000BA67000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comcen
Source: AcroRd32.exe, 00000004.00000002.1108460942.000000000BA67000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comfor
Source: AcroRd32.exe, 00000004.00000002.1097006744.0000000009273000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/
Source: wget.exe, 00000002.00000002.204123171.0000000002D5F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: wget.exe, 00000002.00000003.203301308.0000000002D67000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/t
Source: wget.exe, 00000002.00000002.203629345.0000000001230000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_St
Source: AcroRd32.exe, 00000004.00000002.1096489893.0000000008E1C000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02D217EF2_2_02D217EF
Source: classification engineClassification label: clean2.win@17/49@0/2
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rsefshw_1sr83ch_3go.tmpJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\download\Joint_Statement_on_COVID-19_Prevention.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\download\Joint_Statement_on_COVID-19_Prevention.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=16228068459503750942 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16228068459503750942 --renderer-client-id=2 --mojo-platform-channel-handle=1696 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=15250631444377691931 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1281411786432699177 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1281411786432699177 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9016934769419892692 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9016934769419892692 --renderer-client-id=5 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://storage.googleapis.com/pt04-2/messages/attachments/a81514cf8fd6b74e29fc05ccfdc4ab52/Joint_Statement_on_COVID-19_Prevention.pdf' Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\download\Joint_Statement_on_COVID-19_Prevention.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=16228068459503750942 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16228068459503750942 --renderer-client-id=2 --mojo-platform-channel-handle=1696 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=15250631444377691931 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1281411786432699177 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1281411786432699177 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1684,10264994146005585357,17156375866591390102,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=9016934769419892692 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9016934769419892692 --renderer-client-id=5 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeFile opened: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\crash_reporter.cfgJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Binary string: ProgID = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: Binary string: AcroExch.PDBookmark.1 = s 'AcroExch.PDBookmark' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: Binary string: ForceRemove {2EAF0840-690A-101B-9CA8-9240CE2738AE} = s 'AcroExch.PDBookmark' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: Binary string: AcroExch.PDBookmark = s 'AcroExch.PDBookmark' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: Binary string: CurVer = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: Binary string: VersionIndependentProgID = s 'AcroExch.PDBookmark' source: AcroRd32.exe, 00000004.00000002.1092762367.0000000007F60000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_009FCF0E push eax; iretd 2_2_009FCF51
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_009FCF54 push eax; iretd 2_2_009FCF55
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_02D22962 push eax; retf 2_2_02D22963
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: wget.exeBinary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.203562136.00000000009F8000.00000004.00000020.sdmp, AcroRd32.exe, 00000004.00000002.1108236871.000000000B94A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeCode function: 4_2_01189110 LdrInitializeThunk,4_2_01189110
Source: AcroRd32.exe, 00000004.00000002.1090833469.0000000005D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: AcroRd32.exe, 00000004.00000002.1090833469.0000000005D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000004.00000002.1090833469.0000000005D50000.00000002.00000001.sdmpBinary or memory string: Progman
Source: AcroRd32.exe, 00000004.00000002.1090833469.0000000005D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock