Malware analysis Facture Impayée.pdf Malicious activity

Add for printing

File name:	Facture Impayée.pdf
Full analysis:	https://app.any.run/tasks/99a33562-d9af-422a-bbc5-28a135ab3744
Verdict:	Malicious activity
Analysis date:	April 15, 2025, 11:33:32
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc phishing phish-img bluetrait rmm-tool syncro
Indicators:
MIME:	application/pdf
File info:	PDF document, version 1.7, 2 page(s)
MD5:	F729FA1EF7F96A68F7B8DDDC98EC55BC
SHA1:	72037AA346E77008B1947862DAA646F3AA953C7F
SHA256:	70DB04DBBB5DB85212D2E1E0768DF774DE51E965CE17F529E685313D8FC65501
SSDEEP:	6144:kLcDc+owGjpSuOme7FTXU+MnB//k+tLua19Ay:kLcDDK9Sqe7FT6B//Bua19/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Phishing has been detected
  - Acrobat.exe (PID: 7416)
SUSPICIOUS
- Executes as Windows Service
  - VSSVC.exe (PID: 8240)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - WmiApSrv.exe (PID: 9104)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - WmiApSrv.exe (PID: 8184)
  - Syncro.Service.Runner.exe (PID: 2236)
- There is functionality for taking screenshot (YARA)
  - AcroCEF.exe (PID: 5556)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 684)
- The process checks if it is being run in the virtual environment
  - Bluetrait MSP Agent.exe (PID: 8100)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
- Executable content was dropped or overwritten
  - rundll32.exe (PID: 1548)
  - Installer.exe (PID: 8840)
  - Syncro.Installer.exe (PID: 7196)
  - rundll32.exe (PID: 8472)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
- Reads security settings of Internet Explorer
  - Installer.exe (PID: 8840)
  - InstallUtil.exe (PID: 8524)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.App.Runner.exe (PID: 7104)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.App.Runner.exe (PID: 8292)
  - Syncro.Service.Runner.exe (PID: 2236)
- Reads the date of Windows installation
  - Installer.exe (PID: 8840)
  - Bluetrait MSP Agent.exe (PID: 8100)
- Searches for installed software
  - Bluetrait MSP Agent.exe (PID: 8100)
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.Service.Runner.exe (PID: 2236)
- Drops 7-zip archiver for unpacking
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Overmind.Service.exe (PID: 8548)
- The process creates files with name similar to system file names
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Overmind.Service.exe (PID: 8548)
- Process drops legitimate windows executable
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Overmind.Service.exe (PID: 8548)
- Executing commands from a ".bat" file
  - Syncro.Installer.exe (PID: 7196)
- Restarts service on failure
  - sc.exe (PID: 5984)
  - sc.exe (PID: 8432)
  - sc.exe (PID: 8796)
  - sc.exe (PID: 9060)
- Starts SC.EXE for service management
  - cmd.exe (PID: 9184)
  - Syncro.Overmind.Service.exe (PID: 8548)
- Windows service management via SC.EXE
  - sc.exe (PID: 7192)
  - sc.exe (PID: 7712)
  - sc.exe (PID: 9128)
- Starts CMD.EXE for commands execution
  - Syncro.Installer.exe (PID: 7196)
- Creates a software uninstall entry
  - Syncro.Service.Runner.exe (PID: 8648)
- Creates or modifies Windows services
  - Syncro.Overmind.Service.exe (PID: 7704)
- Creates a new Windows service
  - sc.exe (PID: 6872)
- Drops a system driver (possible attempt to evade defenses)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
INFO
- Application launched itself
  - msedge.exe (PID: 7916)
  - AcroCEF.exe (PID: 8056)
  - Acrobat.exe (PID: 7416)
- Reads Environment values
  - identity_helper.exe (PID: 8484)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - Syncro.Installer.exe (PID: 7196)
  - identity_helper.exe (PID: 7972)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - Syncro.Overmind.Service.exe (PID: 7704)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
- Reads the computer name
  - identity_helper.exe (PID: 8484)
  - msiexec.exe (PID: 684)
  - msiexec.exe (PID: 8496)
  - msiexec.exe (PID: 8736)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - msiexec.exe (PID: 2148)
  - Installer.exe (PID: 8840)
  - Syncro.Installer.exe (PID: 7196)
  - InstallUtil.exe (PID: 8524)
  - Syncro.Service.Runner.exe (PID: 8648)
  - identity_helper.exe (PID: 7972)
  - msiexec.exe (PID: 3016)
  - Syncro.App.Runner.exe (PID: 7104)
  - msiexec.exe (PID: 4108)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - msiexec.exe (PID: 8020)
  - Syncro.Overmind.Service.exe (PID: 7704)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
  - Syncro.App.Runner.exe (PID: 8292)
- Checks supported languages
  - identity_helper.exe (PID: 8484)
  - msiexec.exe (PID: 684)
  - msiexec.exe (PID: 8496)
  - msiexec.exe (PID: 8736)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - msiexec.exe (PID: 2148)
  - Installer.exe (PID: 8840)
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Service.Runner.exe (PID: 8648)
  - identity_helper.exe (PID: 7972)
  - InstallUtil.exe (PID: 8524)
  - msiexec.exe (PID: 3016)
  - Syncro.App.Runner.exe (PID: 7104)
  - msiexec.exe (PID: 4108)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - msiexec.exe (PID: 8020)
  - Syncro.Overmind.Service.exe (PID: 7704)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
  - Syncro.App.Runner.exe (PID: 8292)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7916)
  - msiexec.exe (PID: 684)
  - msedge.exe (PID: 2108)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 7916)
- The sample compiled with english language support
  - msedge.exe (PID: 7916)
  - msiexec.exe (PID: 684)
  - Syncro.Installer.exe (PID: 7196)
  - msedge.exe (PID: 2108)
  - Syncro.Overmind.Service.exe (PID: 8548)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 4528)
- Reads the software policy settings
  - slui.exe (PID: 7724)
  - msiexec.exe (PID: 4528)
  - msiexec.exe (PID: 684)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - slui.exe (PID: 8548)
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - Syncro.Service.Runner.exe (PID: 8648)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
- BLUETRAIT has been detected
  - msiexec.exe (PID: 4528)
  - msiexec.exe (PID: 684)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - msiexec.exe (PID: 8504)
  - msiexec.exe (PID: 1548)
  - msiexec.exe (PID: 7172)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
- Manages system restore points
  - SrTasks.exe (PID: 5544)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 684)
  - Bluetrait MSP Agent.exe (PID: 8100)
  - Syncro.Installer.exe (PID: 7196)
  - InstallUtil.exe (PID: 8524)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.App.Runner.exe (PID: 7104)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - Syncro.Overmind.Service.exe (PID: 7704)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.App.Runner.exe (PID: 8292)
  - Syncro.Service.Runner.exe (PID: 2236)
- Disables trace logs
  - Bluetrait MSP Agent.exe (PID: 8100)
  - Syncro.Installer.exe (PID: 7196)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - Syncro.Service.Runner.exe (PID: 2236)
- Reads CPU info
  - Bluetrait MSP Agent.exe (PID: 8100)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
- Creates files in the program directory
  - Bluetrait MSP Agent.exe (PID: 8100)
  - Installer.exe (PID: 8840)
  - Syncro.Installer.exe (PID: 7196)
  - InstallUtil.exe (PID: 8524)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.App.Runner.exe (PID: 7104)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - Syncro.Overmind.Service.exe (PID: 7704)
  - SyncroLive.Service.Runner.exe (PID: 8480)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.Service.Runner.exe (PID: 2236)
- Creates a software uninstall entry
  - msiexec.exe (PID: 684)
- Checks proxy server information
  - slui.exe (PID: 8548)
- Reads the time zone
  - Bluetrait MSP Agent.exe (PID: 8100)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
- SYNCRO has been detected
  - Syncro.Installer.exe (PID: 7196)
  - cmd.exe (PID: 9184)
  - InstallUtil.exe (PID: 8524)
  - Syncro.Service.Runner.exe (PID: 8648)
  - Syncro.App.Runner.exe (PID: 7104)
  - Syncro.Overmind.Service.exe (PID: 8548)
  - SyncroLive.Agent.Runner.exe (PID: 7700)
  - Syncro.App.Runner.exe (PID: 8292)
  - Syncro.Service.Runner.exe (PID: 2236)
- Process checks Powershell version
  - Syncro.Service.Runner.exe (PID: 8648)
- The sample compiled with japanese language support
  - SyncroLive.Agent.Runner.exe (PID: 7700)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.pdf	\|	Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion:	1.7
Linearized:	No
PageCount:	2
Language:	fr-FR
TaggedPDF:	Yes
Author:	Dennis Block
Creator:	Microsoft® Word 2019
CreateDate:	2025:04:11 14:09:04+02:00
ModifyDate:	2025:04:11 14:09:04+02:00
Producer:	Microsoft® Word 2019

XMP

XMPToolkit:	3.1-701
Producer:	Microsoft® Word 2019
Creator:	Dennis Block
CreatorTool:	Microsoft® Word 2019
CreateDate:	2025:04:11 14:09:04+02:00
ModifyDate:	2025:04:11 14:09:04+02:00
DocumentID:	uuid:C64C41E5-55AB-4956-B927-90BEACEC0CE8
InstanceID:	uuid:C64C41E5-55AB-4956-B927-90BEACEC0CE8

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

261

Monitored processes

121

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

496

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2144 --field-trial-handle=1616,i,15119332689551905443,1042405472833473730,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

684

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

812

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2344,i,13788487321724709938,5523562971517336816,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1164

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1228

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2932 --field-trial-handle=1616,i,15119332689551905443,1042405472833473730,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1276

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2164 --field-trial-handle=1616,i,15119332689551905443,1042405472833473730,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1520

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7860 --field-trial-handle=2344,i,13788487321724709938,5523562971517336816,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1548

rundll32.exe "C:\WINDOWS\Installer\MSIE14.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1248890 22 WiX.CustomActions!WiX.CustomActions.CustomActions.ReadConfigJson

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1548

"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\Downloads\BluetraitAgent383.msi"

C:\Windows\System32\msiexec.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2108

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8272 --field-trial-handle=2344,i,13788487321724709938,5523562971517336816,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

100 055

Read events

99 230

Write events

771

Delete events

Modification events


(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7416) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value: 960098824
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:	write	Name:	smailto
Value: 5900
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ToolsSearch
Operation:	write	Name:	iSearchHintIndex
Value: 3
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F4241545F475549445F4E474C5F44554D4D5900
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	sProductGUID
Value: 4143524F5F5245534944554500
(PID) Process:	(7568) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	delete value	Name:	ProductInfoCache
Value:

Add for printing

Executable files

422

Suspicious files

912

Text files

173

Unknown types

Dropped files

PID	Process	Filename		Type
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
8056	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt		text
		MD5:8292D2537C5854814CEAE8B20F36A06F	SHA256:96AF588999B2DC20660E320CB53052801F860EB41BB1D5979A0504CB15EA2AA8
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:88AB4E2DC6FC77F2F56B73B1FFDA1A26	SHA256:3777189A6C11DFB8C48501DFB89931D3606D1FB9F3F65B0078862912CBB5A5C3
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:0427CE697BCABE7B0D3A4307530C063D	SHA256:95F63CFCE39E26C6F151DDB79EDDA61C4CB61656F5CDAC0F6AEC078D24894438
7568	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-04-15 11-33-45-361.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
8056	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0		binary
		MD5:AB5C0665AED766F2EA6FBD5242A96F7D	SHA256:88FEA37943ACFD7F0A4AC7CB79E0A4BC7653278118906E5D3E03A6F605487B98
8056	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0		binary
		MD5:94C57E14A8873330D323D0FAD7771567	SHA256:E10C1BD3C6385166F8B65E82C4106291E612C9B60C3A4ADF9F1AB4B1253646E0
8056	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0		binary
		MD5:9E550AA8B1031C3C98F8B5C24BC965AF	SHA256:9B6AF56E988588EB0088FBA0113D45B4D50C0D80BDA694F0A451ABDA3CCC30B1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

146

DNS requests

139

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted
300	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a575cead-e662-4f4d-b0c3-81f1438d0388?P1=1744952132&P2=404&P3=2&P4=MZ2NVcOPk648eQqGxqZ2ktWzyRzrvSYS3COFhzoSr4bWUsFx5xB0iqZb%2binmI9x9RQosLI8aQB0Yfi5cnTsPXg%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1276	AcroCEF.exe	95.100.184.205:443	geo2.adobe.com	AKAMAI-AS	FR	whitelisted
6544	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1276	AcroCEF.exe	50.16.47.176:443	p13n.adobe.io	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
geo2.adobe.com	95.100.184.205	whitelisted
login.live.com	20.190.159.75 40.126.31.2 20.190.159.130 20.190.159.73 20.190.159.71 40.126.31.73 40.126.31.129 40.126.31.131	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
p13n.adobe.io	50.16.47.176 18.213.11.84 34.237.241.83 54.224.241.105	whitelisted
armmf.adobe.com	95.101.148.135	whitelisted
acroipm2.adobe.com	2.16.168.107 2.16.168.105	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Misc activity	ET INFO RMM Software Domain in DNS Lookup (bluetrait .io)
7332	msedge.exe	Misc activity	ET INFO RMM Software Domain in DNS Lookup (bluetrait .io)
7332	msedge.exe	Misc activity	ET INFO RMM Software Domain in DNS Lookup (bluetrait .io)
7332	msedge.exe	Misc activity	ET INFO Observed RMM Software Domain (bluetrait .io) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO RMM Software Domain in DNS Lookup (bluetrait .io)
8100	Bluetrait MSP Agent.exe	Misc activity	ET INFO Observed RMM Software Domain (bluetrait .io) in TLS SNI
8100	Bluetrait MSP Agent.exe	Misc activity	ET INFO Observed RMM Software Domain (bluetrait .io) in TLS SNI
8100	Bluetrait MSP Agent.exe	Misc activity	ET INFO Observed RMM Software Domain (bluetrait .io) in TLS SNI
8100	Bluetrait MSP Agent.exe	Misc activity	ET INFO Observed RMM Software Domain (bluetrait .io) in TLS SNI
2196	svchost.exe	Potentially Bad Traffic	ET REMOTE_ACCESS Observed Remote Management Software Domain in DNS Lookup (syncromsp .com)

Add for printing

Process	Message
Bluetrait MSP Agent.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files (x86)\Bluetrait Agent\x64\SQLite.Interop.dll"...
SyncroLive.Service.Runner.exe	Topshelf.HostFactory Information: 0 :
SyncroLive.Service.Runner.exe	Configuration Result: [Success] Name SyncroLive [Success] Description The server that powers SyncroLive Cloud [Success] ServiceName SyncroLive
SyncroLive.Service.Runner.exe	Topshelf v4.1.0.172, .NET Framework v4.0.30319.42000
SyncroLive.Service.Runner.exe	Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 :
SyncroLive.Service.Runner.exe	Starting as a Windows service
SyncroLive.Service.Runner.exe	Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :
SyncroLive.Service.Runner.exe	[Topshelf] Starting
SyncroLive.Service.Runner.exe	Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :
SyncroLive.Service.Runner.exe	Topshelf.Runtime.Windows.WindowsServiceHost Information: 0 :

General Info

Facture Impayée.pdf

F729FA1EF7F96A68F7B8DDDC98EC55BC

72037AA346E77008B1947862DAA646F3AA953C7F

70DB04DBBB5DB85212D2E1E0768DF774DE51E965CE17F529E685313D8FC65501

6144:kLcDc+owGjpSuOme7FTXU+MnB//k+tLua19Ay:kLcDDK9Sqe7FT6B//Bua19/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Phishing has been detected

SUSPICIOUS

Executes as Windows Service

There is functionality for taking screenshot (YARA)

Reads the Windows owner or organization settings

The process checks if it is being run in the virtual environment

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Searches for installed software

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

Process drops legitimate windows executable

Executing commands from a ".bat" file

Restarts service on failure

Starts SC.EXE for service management

Windows service management via SC.EXE

Starts CMD.EXE for commands execution

Creates a software uninstall entry

Creates or modifies Windows services

Creates a new Windows service

Drops a system driver (possible attempt to evade defenses)

INFO

Application launched itself

Reads Environment values

Reads the computer name

Checks supported languages

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

The sample compiled with english language support

Reads security settings of Internet Explorer

Reads the software policy settings

BLUETRAIT has been detected

Manages system restore points

Reads the machine GUID from the registry

Disables trace logs

Reads CPU info

Creates files in the program directory

Creates a software uninstall entry

Checks proxy server information

Reads the time zone

SYNCRO has been detected

Process checks Powershell version

The sample compiled with japanese language support

Malware configuration

Static information

TRiD

EXIF

PDF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information