File name:

OTKpbITb 2406022.pdf

Full analysis: https://app.any.run/tasks/760ea75a-04ff-40e6-b525-5ceb3ef79d31
Verdict: Malicious activity
Analysis date: April 27, 2022, 12:11:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/pdf
File info: PDF document, version 1.3
MD5:

8E615798F8780C60A8F53D9851E018AA

SHA1:

1D057987AF89D80B05609A28011517F24F76C05B

SHA256:

3FCD58CD55C13272586E09A7D603B91803000DDFE7A402A405885BCCB7250D1D

SSDEEP:

6144:XTfaYpc5+U44F9vs2IxBRtpAOpZ1uxgQspmg98SWsZ5q9kjB1hUooMW:DCYS7vKPAOpZOB5SWsrqqjB1ti

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • chrome.exe (PID: 2268)
      • chrome.exe (PID: 2884)
  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 2952)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 2520)
    • Checks supported languages

      • AdobeARM.exe (PID: 3320)
      • Reader_sl.exe (PID: 1260)
    • Reads the computer name

      • AdobeARM.exe (PID: 3320)
    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 3320)
      • chrome.exe (PID: 2268)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 3320)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2888)
    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2268)
      • chrome.exe (PID: 2884)
  • INFO

    • Checks supported languages

      • RdrCEF.exe (PID: 3508)
      • RdrCEF.exe (PID: 2360)
      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • RdrCEF.exe (PID: 2936)
      • AcroRd32.exe (PID: 3028)
      • RdrCEF.exe (PID: 312)
      • RdrCEF.exe (PID: 2460)
      • RdrCEF.exe (PID: 3416)
      • RdrCEF.exe (PID: 3176)
      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 3040)
      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 3844)
      • chrome.exe (PID: 392)
      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2820)
      • chrome.exe (PID: 2816)
      • chrome.exe (PID: 3412)
      • chrome.exe (PID: 2308)
      • chrome.exe (PID: 2512)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 1008)
      • chrome.exe (PID: 1460)
      • chrome.exe (PID: 3968)
      • iexplore.exe (PID: 2520)
      • chrome.exe (PID: 1996)
      • chrome.exe (PID: 3080)
      • chrome.exe (PID: 456)
      • chrome.exe (PID: 2304)
      • chrome.exe (PID: 3748)
      • chrome.exe (PID: 3540)
      • chrome.exe (PID: 3672)
      • chrome.exe (PID: 3776)
      • chrome.exe (PID: 3872)
      • chrome.exe (PID: 4044)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 2948)
      • chrome.exe (PID: 2268)
      • chrome.exe (PID: 3952)
    • Reads CPU info

      • AcroRd32.exe (PID: 3028)
    • Reads the computer name

      • AcroRd32.exe (PID: 3028)
      • RdrCEF.exe (PID: 3732)
      • AcroRd32.exe (PID: 2952)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2640)
      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 392)
      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 3672)
      • iexplore.exe (PID: 2520)
      • chrome.exe (PID: 2304)
      • chrome.exe (PID: 3776)
      • chrome.exe (PID: 3412)
      • chrome.exe (PID: 4044)
    • Application launched itself

      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • iexplore.exe (PID: 3040)
      • chrome.exe (PID: 2888)
    • Reads the hosts file

      • RdrCEF.exe (PID: 3732)
      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2888)
    • Searches for installed software

      • AcroRd32.exe (PID: 2952)
      • AcroRd32.exe (PID: 3028)
    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2640)
      • AdobeARM.exe (PID: 3320)
      • chrome.exe (PID: 2884)
      • iexplore.exe (PID: 2520)
    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 2952)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2640)
      • AdobeARM.exe (PID: 3320)
      • iexplore.exe (PID: 2520)
    • Changes internet zones settings

      • iexplore.exe (PID: 3040)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3040)
    • Creates files in the user directory

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 3040)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 2520)
    • Manual execution by user

      • chrome.exe (PID: 2888)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3040)
    • Reads the date of Windows installation

      • chrome.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion: 1.3
Linearized: No
PageLayout: SinglePage
PageCount: 6
Producer: Synopse PDF engine 1.18.6228
Author: 5837350
CreateDate: 2022:04:27 13:33:57Z
Creator: Noqufiru Vuryhope Zihu Vevuvi Buhki Becte Lesyvucy Solono Bidosyw Bozezuvi Wopje Lyjysyje Kijokiz Suwineb Gihliccywhbjilnwqro
Keywords: ag
Subject: dslkjgjvpylGARHPVAGYLCWTBWQTYOU
Title: Tycu Xeju Pido Roxynudi Firsi Sulureku Cewpy Vuqiby Dyninyry17360461136
ModifyDate: 2022:04:27 13:33:57Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
42
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe adobearm.exe reader_sl.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\OTKpbITb 2406022.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Explorer.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3028"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\OTKpbITb 2406022.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3732"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2360"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3193135043750147994 --renderer-client-id=2 --mojo-platform-channel-handle=1188 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3508"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=7250576979337629895 --mojo-platform-channel-handle=1216 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2936"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=4773144807900773750 --mojo-platform-channel-handle=1260 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3416"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=5240567380866057911 --mojo-platform-channel-handle=1380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2460"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7155615066176502447 --renderer-client-id=6 --mojo-platform-channel-handle=1472 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
312"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3386606312761745455 --renderer-client-id=7 --mojo-platform-channel-handle=1484 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3176"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7948910901052095394 --renderer-client-id=8 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
74 180
Read events
73 784
Write events
380
Delete events
16

Modification events

(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral
Operation:writeName:iNumReaderLaunches
Value:
2
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog
Operation:writeName:bShowUpdateFTE
Value:
1
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcome
Operation:writeName:bIsAcrobatUpdated
Value:
1
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcomeFirstMileReader
Operation:writeName:iCardCountShown
Value:
2
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog
Operation:delete valueName:iLastCardShown
Value:
0
(PID) Process:(2952) AcroRd32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement
Operation:writeName:bNormalExit
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent\cWin0
Operation:writeName:iTabCount
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent
Operation:writeName:iWinCount
Value:
1
Executable files
3
Suspicious files
359
Text files
176
Unknown types
35

Dropped files

PID
Process
Filename
Type
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0binary
MD5:F6D40FE8338E0EE2FC0C3B5083FB785E
SHA256:F3EEC777FB6F25881090C97814147AA6A5C952570832D8E95D084895A91F0EF8
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0binary
MD5:BFB478081D7F9CD439C916D02DDA40CF
SHA256:B00D6CF48B4C92A2C18233D5A4C6CC79E0DEE29CEF08BACB74B61D0787F24929
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0binary
MD5:520CD794774B881C87E98AB4726893A9
SHA256:77B8704340B879C25BD8B1403BAA07BFA4FF056174B9D55F47DC3C3D417724A7
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0binary
MD5:92AEBC5D8FEF849B8F19C0CCAF04C739
SHA256:141A67E2FA2EA370B42CA95F89E5B6458B048E635D2B8099E60A355FEFC886D8
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0binary
MD5:DE1798BFEE29E4E09B7F7493E99EDF8E
SHA256:D20AFAE43F3A9CF70230039F8AB9D7417BE4AA554E0CB811750F77E39821FF7A
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0binary
MD5:F92D88A7BC60511333060BDF3F7D4999
SHA256:C3102725476C00E7B6D20BC13C0CD06FC5F71F375992161141FDA58058CB61D6
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0binary
MD5:84A9AC280328A65C0424EF7B407F9358
SHA256:E241B18C03B04B3D67451403693EB68559B7779D803590764B8B3092D687C35B
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0binary
MD5:51CDD5548822AB6C5503559A9434F0F3
SHA256:CB0B3ABF167B642CE58CA0B4867BA9DB14BA63975AFD678BEDAE3D846A25C041
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0binary
MD5:BCCE62B70B311C2350F88088B5567F92
SHA256:2A8C78F25130CE03CEC77AB24F15D0325698AD1469D9A41056282FAA0C843696
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0binary
MD5:52500DDCAC3C7A5019A44FCBEE07C45F
SHA256:C9D6ABB36EE779744DA60F002D0CB916B86D6353CF2470997DB72DCA9D1EEC2E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
120
TCP/UDP connections
126
DNS requests
78
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA8SVMKPsnFcEm%2FVYIITs7I%3D
US
der
471 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdmHyZTVWPdwrUMsTDPsDC
US
der
472 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDZVQ0c3n%2F16xKL4oJJTrDj
US
der
472 b
whitelisted
3040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
872
svchost.exe
HEAD
302
142.250.185.206:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/adktovjj3t3n7jwiiegl5h6y3v5q_1.3.36.121/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.121_win_bxugoraqoudfswxg22hsatfdbi.crx3
US
whitelisted
2884
chrome.exe
GET
302
104.21.48.131:80
http://go.likurocu.com/0gbh?aff_sub=6269335421fa120001340be2
US
suspicious
872
svchost.exe
HEAD
200
173.194.137.73:80
http://r4---sn-aigzrn76.gvt1.com/edgedl/release2/chrome_component/adktovjj3t3n7jwiiegl5h6y3v5q_1.3.36.121/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.121_win_bxugoraqoudfswxg22hsatfdbi.crx3?cms_redirect=yes&mh=bj&mip=185.198.243.195&mm=28&mn=sn-aigzrn76&ms=nvh&mt=1651061041&mv=u&mvi=4&pl=25&rmhost=r2---sn-aigzrn76.gvt1.com&shardbypass=sd&smhost=r5---sn-aigzrn7s.gvt1.com
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2640
iexplore.exe
142.250.185.142:443
docs.google.com
Google Inc.
US
whitelisted
2952
AcroRd32.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3732
RdrCEF.exe
104.102.28.179:443
geo2.adobe.com
Akamai Technologies, Inc.
US
unknown
3732
RdrCEF.exe
54.227.187.23:443
p13n.adobe.io
Amazon.com, Inc.
US
suspicious
3040
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
872
svchost.exe
184.30.20.134:443
armmf.adobe.com
GTT Communications Inc.
US
suspicious
3732
RdrCEF.exe
184.30.20.134:443
armmf.adobe.com
GTT Communications Inc.
US
suspicious
2952
AcroRd32.exe
92.123.225.66:443
acroipm2.adobe.com
Akamai International B.V.
suspicious
2952
AcroRd32.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
geo2.adobe.com
  • 104.102.28.179
whitelisted
p13n.adobe.io
  • 54.227.187.23
  • 23.22.254.206
  • 52.202.204.11
  • 52.5.13.197
whitelisted
armmf.adobe.com
  • 184.30.20.134
  • 23.35.228.137
whitelisted
acroipm2.adobe.com
  • 92.123.225.66
  • 92.123.225.67
  • 92.123.225.42
  • 92.123.225.11
  • 92.123.225.26
  • 92.123.225.49
  • 92.123.225.41
  • 92.123.225.35
  • 92.123.225.64
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
docs.google.com
  • 142.250.185.142
  • 142.250.185.238
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
  • 13.107.22.200
  • 131.253.33.200
whitelisted
ocsp.pki.goog
  • 142.250.186.67
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info