Malware analysis forms-updated-doc.pdf Malicious activity

Add for printing

File name:	forms-updated-doc.pdf
Full analysis:	https://app.any.run/tasks/ad31f4b5-e13e-413c-9970-102b08d9cd94
Verdict:	Malicious activity
Analysis date:	April 28, 2023, 15:30:47
OS:	Windows 10 Professional (build: 19044, 32 bit)
Tags:	phishing
Indicators:
MIME:	application/pdf
File info:	PDF document, version 1.6
MD5:	D62C3B4653633D5EEF4569CB5F930B57
SHA1:	6D2032862632C60EB37E0CBD478603EDC39D6D9D
SHA256:	25F4F80E2E0B480170CA68BCD88B8365A646EB935A4415D846C37B5C1336EA20
SSDEEP:	1536:9yZK6SH7RbBcq/hBOitOOdG538OZU+KaSxtLRU+9S/BqK365UBm/A4t:4ZWbBd/zLdy38AU+1SBU+wT3KUBmx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader (22.003.20314)
Adobe Acrobat Reader (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (103.0.5060.134)
Google Chrome (103.0.5060.134)
Google Update Helper (1.3.33.23)
Google Update Helper (1.3.33.23)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 92 (8.0.920.14)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (105.0.1343.50)
Microsoft Edge WebView2 Runtime (105.0.1343.50)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x86 en-US) (111.0.1)
Mozilla Firefox (x86 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.16026.20146)
Opera 12.15 (12.15.1748)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Skype™ 7.39 (7.39.102)
Update for Windows 10 (KB4023057) (2.13.0.0)
Update for Windows 10 (KB4023057) (2.13.0.0)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - AcroRd32.exe (PID: 5012)
  - RdrCEF.exe (PID: 3272)
  - msedge.exe (PID: 3824)
  - msedge.exe (PID: 7808)
- Checks supported languages
  - identity_helper.exe (PID: 7796)
  - identity_helper.exe (PID: 4904)
- The process checks LSA protection
  - identity_helper.exe (PID: 7796)
  - identity_helper.exe (PID: 4904)
- Reads the computer name
  - identity_helper.exe (PID: 7796)
  - identity_helper.exe (PID: 4904)
- Changes Internet Explorer settings (feature browser emulation)
  - AcroRd32.exe (PID: 5012)
- Create files in a temporary directory
  - msedge.exe (PID: 3824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.pdf	\|	Adobe Portable Document Format (100)

EXIF

PDF

Linearized:	No
PDFVersion:	1.6

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

115

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --mojo-platform-channel-handle=1588 --field-trial-handle=1628,i,9605843609817446810,12432224371686954356,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

—

RdrCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe RdrCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef_1\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

596

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --mojo-platform-channel-handle=2216 --field-trial-handle=1628,i,9605843609817446810,12432224371686954356,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

RdrCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe RdrCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef_1\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcp_win.dll

1296

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2716 --field-trial-handle=1628,i,9605843609817446810,12432224371686954356,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

—

RdrCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe RdrCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef_1\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1808

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 --field-trial-handle=2056,i,14876727496178219847,3735601174513845453,131072 /prefetch:3

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2016

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x124,0x128,0x12c,0x100,0x134,0x7a878650,0x7a878660,0x7a87866c

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2020

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20314 Chrome/105.0.0.0" --user-data-dir="C:\Users\admin\AppData\Local\CEF\User Data" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2432 --field-trial-handle=1628,i,9605843609817446810,12432224371686954356,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

—

RdrCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe RdrCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef_1\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3096

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=2064,i,1078438717210631148,18093471649982331954,131072 /prefetch:3

C:\Program Files\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

3272

"C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe

—

AcroRd32.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe RdrCEF

Exit code:

Version:

22.3.20314.0

Modules

Images
c:\program files\adobe\acrobat reader dc\reader\acrocef_1\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3316

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=2064,i,1078438717210631148,18093471649982331954,131072 /prefetch:1

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

3560

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4304 --field-trial-handle=2064,i,1078438717210631148,18093471649982331954,131072 /prefetch:8

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

111.0.1661.62

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

39 798

Read events

39 668

Write events

128

Delete events

Modification events


(PID) Process:	(5392) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 1
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:	write	Name:	AcroRd32.exe
Value: 9999
(PID) Process:	(5392) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\CommonFiles\Usage\Reader DC
Operation:	write	Name:	optin
Value: 1
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5012) AcroRd32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3824) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0

Add for printing

Executable files

Suspicious files

478

Text files

218

Unknown types

Dropped files

PID	Process	Filename		Type
5392	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB-journal		binary
		MD5:18089CA3F56AEE739BBAEF4F11842914	SHA256:EDFF3492BC3C4DA9D8AEDBAE6C4EC870CFD0FE6931B6A59856A7E07FA180A71E
3272	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index		binary
		MD5:54CB446F628B2EA4A5BCE5769910512E	SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
5012	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB		sqlite
		MD5:D4413FE1B40D9A863D236A2CBBECB194	SHA256:4008C44AD258710284F37A5E3647488C8160E969877FD5974B07B2189F3384D2
3272	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index		binary
		MD5:E28C233898C260755C009608375A6786	SHA256:301DEB2513CB859D95E996B1FA0665E4425519787868C1E8AE21A10D419B98E9
5392	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING		mp3
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
4820	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\MANIFEST-000001		binary
		MD5:5AF87DFD673BA2115E2FCF5CFDB727AB	SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
3272	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index		binary
		MD5:E28C233898C260755C009608375A6786	SHA256:301DEB2513CB859D95E996B1FA0665E4425519787868C1E8AE21A10D419B98E9
3272	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index		binary
		MD5:54CB446F628B2EA4A5BCE5769910512E	SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
3272	RdrCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\temp-index		binary
		MD5:D75D7432571A0525AFC2DB56DA87756C	SHA256:83E52F3B75A5738153305604CCCEE2CC53BAC5790EA1E602E24B94A7DF221629
5392	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json		binary
		MD5:560B1FC1035CD2FE0E8F6AB3E304B9D2	SHA256:31949576DDA7E4106FAFF2EE9DDE468DB6288E55E39CD0CD0F68AF47B8A21767

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5012	AcroRd32.exe	GET	200	52.222.226.205:80	http://ocsp.r2m02.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRmbQtwnInkvkvr7BNFR%2BS2lTYPjAQUwDFSzVpQw4J8dHHOy%2Bmc%2BXrrguICEAYLe%2BQP1Z2DctvOpU88jm4%3D	US	binary	471 b	whitelisted
5012	AcroRd32.exe	GET	200	52.222.250.174:80	http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D	US	der	1.39 Kb	shared
5012	AcroRd32.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	52.222.226.205:80	ocsp.r2m02.amazontrust.com	AMAZON-02	US	unknown
3096	msedge.exe	3.227.50.246:443	su.onamoc.comano.us	AMAZON-AES	US	unknown
3096	msedge.exe	20.105.73.143:443	nav-edge.smartscreen.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3096	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3096	msedge.exe	3.221.21.138:443	su.onamoc.comano.us	AMAZON-AES	US	unknown
3096	msedge.exe	104.18.204.201:443	cdn2.hubspot.net	CLOUDFLARENET	—	whitelisted
3096	msedge.exe	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3096	msedge.exe	91.198.174.208:443	upload.wikimedia.org	WIKIMEDIA	US	suspicious
3096	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3096	msedge.exe	13.107.238.45:443	edgeassetservice.azureedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.112.108	whitelisted
geo2.adobe.com	23.35.236.137	whitelisted
p13n.adobe.io	107.22.247.231 18.207.85.246 54.144.73.197 34.193.227.236	whitelisted
comano.us	—	unknown
onamoc.comano.us	—	unknown
su.onamoc.comano.us	3.227.50.246 34.193.124.246 34.206.141.82 3.221.21.138 18.213.252.182 52.5.176.152	suspicious
armmf.adobe.com	2.18.233.74	whitelisted
acroipm2.adobe.com	23.48.23.34 23.48.23.54	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
ocsp.rootca1.amazontrust.com	52.222.250.174 52.222.250.185 52.222.250.42 52.222.250.112	shared

Threats

PID	Process	Class	Message
—	—	Successful Credential Theft Detected	ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain

Add for printing

No debug info

General Info

forms-updated-doc.pdf

D62C3B4653633D5EEF4569CB5F930B57

6D2032862632C60EB37E0CBD478603EDC39D6D9D

25F4F80E2E0B480170CA68BCD88B8365A646EB935A4415D846C37B5C1336EA20

1536:9yZK6SH7RbBcq/hBOitOOdG538OZU+KaSxtLRU+9S/BqK365UBm/A4t:4ZWbBd/zLdy38AU+1SBU+wT3KUBmx

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Checks supported languages

The process checks LSA protection

Reads the computer name

Changes Internet Explorer settings (feature browser emulation)

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

PDF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings