Malware analysis 08829182025.pdf Malicious activity | ANY.RUN

Add for printing

File name:	08829182025.pdf
Full analysis:	https://app.any.run/tasks/2c0469db-2b86-46ec-a53c-21e271ad98e8
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 13:19:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	autorun-download pdqconnect rmm-tool
Indicators:
MIME:	application/pdf
File info:	PDF document, version 1.1, 1 page(s)
MD5:	82B5C5BFCA53C75F256A4540D54C5BBD
SHA1:	0B27BE92D4619D5321EFA4E53EAEED61F41BFF3C
SHA256:	43A8CC1A5492DCDC5FF4039E7923637A472E0D10B7F1CBFD3BF07267E1F662D1
SSDEEP:	49152:vGpwIOUzehobXez2/mEubYX60xUxTpJme0qhHgaF8E737XHNxMGHbCLYVFD:vGeI53OzcAuWTpJme0sHgk8E7378G4y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 4892)
  - powershell.exe (PID: 3012)
  - powershell.exe (PID: 7848)
  - powershell.exe (PID: 7468)
  - powershell.exe (PID: 8316)
  - powershell.exe (PID: 5260)
- Changes powershell execution policy (Bypass)
  - pdq-connect-agent.exe (PID: 5392)
SUSPICIOUS
- Executes as Windows Service
  - VSSVC.exe (PID: 8796)
  - pdq-connect-agent.exe (PID: 4812)
  - pdq-connect-updater.exe (PID: 3268)
  - pdq-connect-agent.exe (PID: 5392)
- Executable content was dropped or overwritten
  - rundll32.exe (PID: 4652)
  - rundll32.exe (PID: 1676)
  - rundll32.exe (PID: 7992)
  - rundll32.exe (PID: 5960)
  - rundll32.exe (PID: 9080)
  - rundll32.exe (PID: 840)
  - rundll32.exe (PID: 8736)
  - pdq-connect-agent.exe (PID: 4812)
  - rundll32.exe (PID: 2516)
  - rundll32.exe (PID: 2772)
  - rundll32.exe (PID: 8624)
  - rundll32.exe (PID: 7148)
  - rundll32.exe (PID: 2288)
  - rundll32.exe (PID: 4244)
  - rundll32.exe (PID: 9168)
- Uses RUNDLL32.EXE to load library
  - msiexec.exe (PID: 5008)
  - msiexec.exe (PID: 7828)
  - msiexec.exe (PID: 7408)
  - msiexec.exe (PID: 7480)
- Starts SC.EXE for service management
  - rundll32.exe (PID: 9080)
  - rundll32.exe (PID: 2516)
- Windows service management via SC.EXE
  - sc.exe (PID: 8772)
  - sc.exe (PID: 1196)
- PDQConnect is probably used for system patching and software deployment
  - sc.exe (PID: 8772)
  - sc.exe (PID: 1196)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6964)
- Starts POWERSHELL.EXE for commands execution
  - pdq-connect-agent.exe (PID: 5392)
- The process hide an interactive prompt from the user
  - pdq-connect-agent.exe (PID: 5392)
- The process bypasses the loading of PowerShell profile settings
  - pdq-connect-agent.exe (PID: 5392)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 4892)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 4172)
- The process hides Powershell's copyright startup banner
  - pdq-connect-agent.exe (PID: 5392)
INFO
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 8604)
  - BackgroundTransferHost.exe (PID: 8900)
  - BackgroundTransferHost.exe (PID: 8940)
  - BackgroundTransferHost.exe (PID: 8364)
- Reads Environment values
  - identity_helper.exe (PID: 9204)
  - identity_helper.exe (PID: 8680)
- Reads the computer name
  - identity_helper.exe (PID: 9204)
  - msiexec.exe (PID: 6964)
  - identity_helper.exe (PID: 8680)
  - pdq-connect-updater.exe (PID: 3268)
  - pdq-connect-agent.exe (PID: 5392)
- Application launched itself
  - Acrobat.exe (PID: 7332)
  - msedge.exe (PID: 7180)
  - AcroCEF.exe (PID: 7792)
  - msedge.exe (PID: 8992)
  - msiexec.exe (PID: 6964)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 7180)
- Autorun file from Downloads
  - msedge.exe (PID: 4212)
- Checks proxy server information
  - BackgroundTransferHost.exe (PID: 8940)
- Checks supported languages
  - identity_helper.exe (PID: 9204)
  - msiexec.exe (PID: 6964)
  - msiexec.exe (PID: 5008)
  - identity_helper.exe (PID: 8680)
  - msiexec.exe (PID: 7828)
  - pdq-connect-updater.exe (PID: 3268)
  - msiexec.exe (PID: 7480)
  - pdq-connect-agent.exe (PID: 5392)
  - ShellExperienceHost.exe (PID: 8436)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 8940)
- Reads the software policy settings
  - msiexec.exe (PID: 7620)
  - BackgroundTransferHost.exe (PID: 8940)
  - msiexec.exe (PID: 6964)
  - pdq-connect-agent.exe (PID: 4812)
  - slui.exe (PID: 7692)
  - pdq-connect-updater.exe (PID: 3268)
  - pdq-connect-agent.exe (PID: 5392)
- Manages system restore points
  - SrTasks.exe (PID: 8720)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6964)
- PDQCONNECT has been detected
  - rundll32.exe (PID: 9080)
  - msiexec.exe (PID: 7828)
  - pdq-connect-agent.exe (PID: 4812)
  - rundll32.exe (PID: 2516)
  - msiexec.exe (PID: 7480)
- Creates files in the program directory
  - pdq-connect-agent.exe (PID: 4812)
- Create files in a temporary directory
  - rundll32.exe (PID: 1676)
- The sample compiled with english language support
  - msiexec.exe (PID: 6964)
- Manual execution by a user
  - Taskmgr.exe (PID: 8928)
  - Taskmgr.exe (PID: 2332)
- Uses string replace method (POWERSHELL)
  - powershell.exe (PID: 4892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.pdf	\|	Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion:	1.1
Linearized:	No
PageCount:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

395

Monitored processes

120

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

840

rundll32.exe "C:\WINDOWS\Installer\MSIC7CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1165343 61 WixSharp!WixSharp.ManagedProjectActions.WixSharp_InitRuntime_Action

C:\Windows\System32\rundll32.exe

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

1052

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7936 --field-trial-handle=2136,i,1778319238233493409,1905913706823608979,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1184

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3032 --field-trial-handle=1624,i,13280573450705985845,10489085464814340939,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1196

"C:\WINDOWS\system32\sc.exe" start "PDQConnectAgent"

C:\Windows\System32\sc.exe

—

rundll32.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1228

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2700 --field-trial-handle=1624,i,13280573450705985845,10489085464814340939,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1300

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=2136,i,1778319238233493409,1905913706823608979,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1676

rundll32.exe "C:\WINDOWS\Installer\MSIB100.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1159500 16 WixSharp!WixSharp.ManagedProjectActions.WixSharp_BeforeInstall_Action

C:\Windows\System32\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2288

rundll32.exe "C:\WINDOWS\Installer\MSI107D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1183906 144 pdqconnectagent-setup!pdqconnectagent_setup.CustomActions.CreateEventSource

C:\Windows\System32\rundll32.exe

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

2332

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Manager

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\rpcrt4.dll

2392

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2368 --field-trial-handle=2136,i,1778319238233493409,1905913706823608979,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

73 503

Read events

72 682

Write events

654

Delete events

167

Modification events


(PID) Process:	(7332) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value:
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:	write	Name:	smailto
Value: 5900
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ToolsSearch
Operation:	write	Name:	iSearchHintIndex
Value: 3
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection
Operation:	write	Name:	bBlockDLLInjection
Value: 0
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F4241545F475549445F4E474C5F44554D4D5900
(PID) Process:	(7488) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F5F5245534944554500

Add for printing

Executable files

Suspicious files

419

Text files

117

Unknown types

Dropped files

PID	Process	Filename		Type
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0		binary
		MD5:6AFE2B5FCEEF3B84F5F1C2287EFB82BD	SHA256:EA99480C270A9A04222EE30C1A57CBE2C51C2C7850D990FF536005794521D6D0
7488	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7488		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
7488	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0		binary
		MD5:E0A31B6956A722501E449BEC880D34E0	SHA256:504D8DFF11FFEECD833EF11CB47DAB58C7397D0AA2E367EABC93475632949DD7
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old		text
		MD5:EB1590F2607E1CE46DBF6A521F772EA0	SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0		binary
		MD5:DBAB4631058FE1B86D09FD1C12BDEA13	SHA256:EA42B35F2AFBFBF487AF9D1D51179B3F5594EFA832AB1F1A1DC0EE814E4E307A
7332	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst		binary
		MD5:366B140BAFC863B7E366AA1E51604759	SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF10d572.TMP		text
		MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E	SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
7792	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old		text
		MD5:8412AEEF2309E13FC954061D9BCEFFF4	SHA256:D062D7B5DF5F3BCB753E97AB5D1DCD9CF62058D9103DA383DBE1F482FC1D4644

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8976	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8976	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7332	Acrobat.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
8940	BackgroundTransferHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7180	msedge.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7180	msedge.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEA5NZ%2FZDFskqO3oXzEaXao8%3D	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.164.72:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7180	msedge.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhtVltVOu8OqBzmsd%2B%2FeFfks3xTQQUvGsiZZ2MaObmHgXx2HIl1LjgSMACEAvcoEuhCK%2FAlHGPdKmo6gs%3D	unknown	—	—	whitelisted
5368	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.16.164.72:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8024	AcroCEF.exe	2.19.104.203:443	geo2.adobe.com	AKAMAI-AS	DE	whitelisted
8024	AcroCEF.exe	3.233.129.217:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
8024	AcroCEF.exe	2.23.244.205:443	armmf.adobe.com	Ooredoo Q.S.C.	QA	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
crl.microsoft.com	2.16.164.72 2.16.164.120	whitelisted
login.live.com	20.190.160.4 40.126.32.133 40.126.32.76 20.190.160.14 20.190.160.67 20.190.160.2 20.190.160.5 20.190.160.20 20.190.159.131 20.190.159.129 20.190.159.64 20.190.159.130 20.190.159.71 20.190.159.75 40.126.31.0 40.126.31.67	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
geo2.adobe.com	2.19.104.203	whitelisted
p13n.adobe.io	3.233.129.217 52.6.155.20 52.22.41.97 3.219.243.226	whitelisted
armmf.adobe.com	2.23.244.205	whitelisted
adobereader.store	188.114.96.3 188.114.97.3	unknown

Threats

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)

Add for printing

No debug info

General Info

08829182025.pdf

82B5C5BFCA53C75F256A4540D54C5BBD

0B27BE92D4619D5321EFA4E53EAEED61F41BFF3C

43A8CC1A5492DCDC5FF4039E7923637A472E0D10B7F1CBFD3BF07267E1F662D1

49152:vGpwIOUzehobXez2/mEubYX60xUxTpJme0qhHgaF8E737XHNxMGHbCLYVFD:vGeI53OzcAuWTpJme0sHgk8E7378G4y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Executes as Windows Service

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to load library

Starts SC.EXE for service management

Windows service management via SC.EXE

PDQConnect is probably used for system patching and software deployment

Reads the Windows owner or organization settings

Starts POWERSHELL.EXE for commands execution

The process hide an interactive prompt from the user

The process bypasses the loading of PowerShell profile settings

Creates new GUID (POWERSHELL)

The process executes via Task Scheduler

The process hides Powershell's copyright startup banner

INFO

Reads security settings of Internet Explorer

Reads Environment values

Reads the computer name

Application launched itself

Reads Microsoft Office registry keys

Autorun file from Downloads

Checks proxy server information

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Manages system restore points

Executable content was dropped or overwritten

PDQCONNECT has been detected

Creates files in the program directory

Create files in a temporary directory

The sample compiled with english language support

Manual execution by a user

Uses string replace method (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

PDF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity