File name:

OTKpbITb 2406022.pdf

Full analysis: https://app.any.run/tasks/760ea75a-04ff-40e6-b525-5ceb3ef79d31
Verdict: Malicious activity
Analysis date: April 27, 2022, 12:11:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/pdf
File info: PDF document, version 1.3
MD5:

8E615798F8780C60A8F53D9851E018AA

SHA1:

1D057987AF89D80B05609A28011517F24F76C05B

SHA256:

3FCD58CD55C13272586E09A7D603B91803000DDFE7A402A405885BCCB7250D1D

SSDEEP:

6144:XTfaYpc5+U44F9vs2IxBRtpAOpZ1uxgQspmg98SWsZ5q9kjB1hUooMW:DCYS7vKPAOpZOB5SWsrqqjB1ti

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2268)
  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 2952)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 2520)
    • Reads the computer name

      • AdobeARM.exe (PID: 3320)
    • Checks supported languages

      • Reader_sl.exe (PID: 1260)
      • AdobeARM.exe (PID: 3320)
    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 3320)
      • chrome.exe (PID: 2268)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 3320)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2888)
    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2268)
  • INFO

    • Reads CPU info

      • AcroRd32.exe (PID: 3028)
    • Checks supported languages

      • RdrCEF.exe (PID: 2936)
      • RdrCEF.exe (PID: 2360)
      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3508)
      • RdrCEF.exe (PID: 3416)
      • AcroRd32.exe (PID: 3028)
      • RdrCEF.exe (PID: 3732)
      • RdrCEF.exe (PID: 3176)
      • RdrCEF.exe (PID: 2460)
      • RdrCEF.exe (PID: 312)
      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 3040)
      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 392)
      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 2308)
      • chrome.exe (PID: 3844)
      • chrome.exe (PID: 2820)
      • chrome.exe (PID: 3412)
      • chrome.exe (PID: 1008)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 2512)
      • chrome.exe (PID: 2816)
      • chrome.exe (PID: 3080)
      • iexplore.exe (PID: 2520)
      • chrome.exe (PID: 3968)
      • chrome.exe (PID: 1460)
      • chrome.exe (PID: 1996)
      • chrome.exe (PID: 3672)
      • chrome.exe (PID: 2304)
      • chrome.exe (PID: 3776)
      • chrome.exe (PID: 2244)
      • chrome.exe (PID: 3872)
      • chrome.exe (PID: 3952)
      • chrome.exe (PID: 3540)
      • chrome.exe (PID: 4044)
      • chrome.exe (PID: 3748)
      • chrome.exe (PID: 456)
      • chrome.exe (PID: 2268)
      • chrome.exe (PID: 2948)
    • Reads the computer name

      • AcroRd32.exe (PID: 3028)
      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2640)
      • chrome.exe (PID: 2888)
      • chrome.exe (PID: 392)
      • chrome.exe (PID: 2884)
      • iexplore.exe (PID: 2520)
      • chrome.exe (PID: 3672)
      • chrome.exe (PID: 2180)
      • chrome.exe (PID: 3412)
      • chrome.exe (PID: 2304)
      • chrome.exe (PID: 3776)
      • chrome.exe (PID: 4044)
    • Application launched itself

      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • iexplore.exe (PID: 3040)
      • chrome.exe (PID: 2888)
    • Reads the hosts file

      • RdrCEF.exe (PID: 3732)
      • chrome.exe (PID: 2884)
      • chrome.exe (PID: 2888)
    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 2952)
      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 3040)
      • AdobeARM.exe (PID: 3320)
      • iexplore.exe (PID: 2520)
    • Searches for installed software

      • AcroRd32.exe (PID: 2952)
      • AcroRd32.exe (PID: 3028)
    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 2952)
      • RdrCEF.exe (PID: 3732)
      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 2640)
      • AdobeARM.exe (PID: 3320)
      • chrome.exe (PID: 2884)
      • iexplore.exe (PID: 2520)
    • Changes internet zones settings

      • iexplore.exe (PID: 3040)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 2520)
    • Creates files in the user directory

      • iexplore.exe (PID: 2640)
      • iexplore.exe (PID: 3040)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3040)
    • Manual execution by user

      • chrome.exe (PID: 2888)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3040)
    • Reads the date of Windows installation

      • chrome.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

ModifyDate: 2022:04:27 13:33:57Z
Title: Tycu Xeju Pido Roxynudi Firsi Sulureku Cewpy Vuqiby Dyninyry17360461136
Subject: dslkjgjvpylGARHPVAGYLCWTBWQTYOU
Keywords: ag
Creator: Noqufiru Vuryhope Zihu Vevuvi Buhki Becte Lesyvucy Solono Bidosyw Bozezuvi Wopje Lyjysyje Kijokiz Suwineb Gihliccywhbjilnwqro
CreateDate: 2022:04:27 13:33:57Z
Author: 5837350
Producer: Synopse PDF engine 1.18.6228
PageCount: 6
PageLayout: SinglePage
Linearized: No
PDFVersion: 1.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
42
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe adobearm.exe reader_sl.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\OTKpbITb 2406022.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Explorer.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3028"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\OTKpbITb 2406022.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3732"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
AcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2360"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3193135043750147994 --renderer-client-id=2 --mojo-platform-channel-handle=1188 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
20.13.20064.405839
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3508"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=7250576979337629895 --mojo-platform-channel-handle=1216 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2936"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=4773144807900773750 --mojo-platform-channel-handle=1260 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3416"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=5240567380866057911 --mojo-platform-channel-handle=1380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2460"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7155615066176502447 --renderer-client-id=6 --mojo-platform-channel-handle=1472 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
312"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3386606312761745455 --renderer-client-id=7 --mojo-platform-channel-handle=1484 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3176"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1180,15304818258047361420,301068094136172566,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7948910901052095394 --renderer-client-id=8 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
74 180
Read events
73 784
Write events
380
Delete events
16

Modification events

(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral
Operation:writeName:iNumReaderLaunches
Value:
2
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog
Operation:writeName:bShowUpdateFTE
Value:
1
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcome
Operation:writeName:bIsAcrobatUpdated
Value:
1
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcomeFirstMileReader
Operation:writeName:iCardCountShown
Value:
2
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog
Operation:delete valueName:iLastCardShown
Value:
0
(PID) Process:(2952) AcroRd32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement
Operation:writeName:bNormalExit
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent\cWin0
Operation:writeName:iTabCount
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent
Operation:writeName:iWinCount
Value:
1
Executable files
3
Suspicious files
359
Text files
176
Unknown types
35

Dropped files

PID
Process
Filename
Type
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0binary
MD5:E49F9414F8390C6A0C8D063BC5632D3A
SHA256:261D24A8F76703889D5E789CCD95CD85E8BEA39A5739D5E5CE4C972204A8E963
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0binary
MD5:BCCE62B70B311C2350F88088B5567F92
SHA256:2A8C78F25130CE03CEC77AB24F15D0325698AD1469D9A41056282FAA0C843696
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0binary
MD5:F6D40FE8338E0EE2FC0C3B5083FB785E
SHA256:F3EEC777FB6F25881090C97814147AA6A5C952570832D8E95D084895A91F0EF8
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0binary
MD5:CB9B974EC99289683D89B1BFEEA7715D
SHA256:A46567F5909EDFD2F655B984C115B24C58B228E0FCB59FBE3A266807A4A422D2
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0binary
MD5:DE1798BFEE29E4E09B7F7493E99EDF8E
SHA256:D20AFAE43F3A9CF70230039F8AB9D7417BE4AA554E0CB811750F77E39821FF7A
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0binary
MD5:BFB478081D7F9CD439C916D02DDA40CF
SHA256:B00D6CF48B4C92A2C18233D5A4C6CC79E0DEE29CEF08BACB74B61D0787F24929
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0binary
MD5:B7A4AF8039F21D2706A4BB9F375FE273
SHA256:CE471825BBC34FE9DD3E32E0259CDE7F0E1EF3BB8BE768F7C62D294181DD2C51
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0binary
MD5:520CD794774B881C87E98AB4726893A9
SHA256:77B8704340B879C25BD8B1403BAA07BFA4FF056174B9D55F47DC3C3D417724A7
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0binary
MD5:A0836C91DEC787356B3ADEF98A0C0BE3
SHA256:64A7EA82E36CD4C95CF663FCF4613D820D970F9354EBDE1C9E49B387D3633763
3732RdrCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0binary
MD5:92AEBC5D8FEF849B8F19C0CCAF04C739
SHA256:141A67E2FA2EA370B42CA95F89E5B6458B048E635D2B8099E60A355FEFC886D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
120
TCP/UDP connections
126
DNS requests
78
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
chrome.exe
GET
302
104.21.48.131:80
http://go.likurocu.com/0gbh?aff_sub=6269335421fa120001340be2
US
suspicious
2884
chrome.exe
GET
302
188.114.97.7:80
http://go.helloclick6.online/sl?id=5f5b69631a6e4b18792251ff&pid=123
US
malicious
3040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD4V2bta%2FH7PxJSbInUrvgT
US
der
472 b
whitelisted
2952
AcroRd32.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCCPD%2BmI1IjpApTbalFlJFC
US
der
472 b
whitelisted
2640
iexplore.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdmHyZTVWPdwrUMsTDPsDC
US
der
472 b
whitelisted
872
svchost.exe
HEAD
200
173.194.137.73:80
http://r4---sn-aigzrn76.gvt1.com/edgedl/release2/chrome_component/adktovjj3t3n7jwiiegl5h6y3v5q_1.3.36.121/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.121_win_bxugoraqoudfswxg22hsatfdbi.crx3?cms_redirect=yes&mh=bj&mip=185.198.243.195&mm=28&mn=sn-aigzrn76&ms=nvh&mt=1651061041&mv=u&mvi=4&pl=25&rmhost=r2---sn-aigzrn76.gvt1.com&shardbypass=sd&smhost=r5---sn-aigzrn7s.gvt1.com
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2952
AcroRd32.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2640
iexplore.exe
142.250.185.142:443
docs.google.com
Google Inc.
US
whitelisted
2952
AcroRd32.exe
92.123.225.66:443
acroipm2.adobe.com
Akamai International B.V.
suspicious
3732
RdrCEF.exe
54.227.187.23:443
p13n.adobe.io
Amazon.com, Inc.
US
suspicious
872
svchost.exe
184.30.20.134:443
armmf.adobe.com
GTT Communications Inc.
US
suspicious
3732
RdrCEF.exe
184.30.20.134:443
armmf.adobe.com
GTT Communications Inc.
US
suspicious
3732
RdrCEF.exe
104.102.28.179:443
geo2.adobe.com
Akamai Technologies, Inc.
US
unknown
2640
iexplore.exe
142.250.186.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
geo2.adobe.com
  • 104.102.28.179
whitelisted
p13n.adobe.io
  • 54.227.187.23
  • 23.22.254.206
  • 52.202.204.11
  • 52.5.13.197
whitelisted
armmf.adobe.com
  • 184.30.20.134
  • 23.35.228.137
whitelisted
acroipm2.adobe.com
  • 92.123.225.66
  • 92.123.225.67
  • 92.123.225.42
  • 92.123.225.11
  • 92.123.225.26
  • 92.123.225.49
  • 92.123.225.41
  • 92.123.225.35
  • 92.123.225.64
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
docs.google.com
  • 142.250.185.142
  • 142.250.185.238
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
  • 13.107.22.200
  • 131.253.33.200
whitelisted
ocsp.pki.goog
  • 142.250.186.67
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info