analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://subiecte.edu.ro/2019/bacalaureat/Subiecte_si_bareme/iunie/E_d_scris_04072019.zip

Full analysis: https://app.any.run/tasks/82da6d2a-a508-4603-af16-afaca1ed0e3b
Verdict: No threats detected
Analysis date: July 05, 2019, 07:53:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

88DD460DB297AB17D331A70E9298F8BA

SHA1:

043C4B1E34528BAF60EE33F38B7635C083C2FD33

SHA256:

7EE2BEB3B8C1929AD1F043D4D2039A53B29BBCB1D9390C1FCD5CC44D90FBE7F2

SSDEEP:

3:N1KNQHMtmjKNYFEQXHK27RfL6kXXOlzS8:CCs82qw27RWkXXQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 3004)

    • Application launched itself

      • RdrCEF.exe (PID: 4056)
      • AcroRd32.exe (PID: 3228)
      • RdrCEF.exe (PID: 3160)

    • Manual execution by user

      • AcroRd32.exe (PID: 4024)
      • AcroRd32.exe (PID: 3228)
      • WinRAR.exe (PID: 3764)

    • Reads Internet Cache Settings

      • opera.exe (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start opera.exe winrar.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Program Files\Opera\opera.exe" http://subiecte.edu.ro/2019/bacalaureat/Subiecte_si_bareme/iunie/E_d_scris_04072019.zipC:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
3764"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\E_d_scris_04072019.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
4024"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\E_d_04_iulie_2019\E_d_bio_veg_anim_2019_var_04_LMA.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3804"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\E_d_04_iulie_2019\E_d_bio_veg_anim_2019_var_04_LMA.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
4056"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3772"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="4056.0.933386185\457453340" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
456"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="4056.1.1213566626\641785085" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3228"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\E_d_04_iulie_2019\E_d_bio_veg_anim_2019_var_04_LRO.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3588"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\E_d_04_iulie_2019\E_d_bio_veg_anim_2019_var_04_LRO.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3160"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
Total events
1 106
Read events
770
Write events
332
Delete events
4

Modification events

(PID) Process:(3004) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe http://subiecte.edu.ro/2019/bacalaureat/Subiecte_si_bareme/iunie/E_d_scris_04072019.zip
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(3004) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
1092616257
Executable files
0
Suspicious files
92
Text files
5
Unknown types
19

Dropped files

PID
Process
Filename
Type
3004opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr3DED.tmp
MD5:
SHA256:
3004opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3DFE.tmp
MD5:
SHA256:
3004opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3E6C.tmp
MD5:
SHA256:
3004opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GH80DY49WJQ6AXDWRDF2.temp
MD5:
SHA256:
3004opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp
MD5:
SHA256:
3004opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:60CC7CCEB9F3A3B9798E2B45CD65CAB4
SHA256:0D5D65CA3BFAE07A157539E0A0DD06FD267C0677630736C10D29D3881215E351
3004opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:34FAAD496452F3E4E6CF234D88C305BA
SHA256:BDD3E5A2B60B9E3667CF29D9A793FE2763CCE8A90F882A42A621B01566DF0CFC
3004opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF155cee.TMPbinary
MD5:8D2AF1B32332CBC3EB43E52363BC928D
SHA256:A8A64BE8EAB84CF198494B0773676DF0FB6CAB57E8DC1329EBCFDCD849EBDFE0
3004opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\g_0000\opr00001.tmpcompressed
MD5:64054F3133E184C9393C4D6AB759EAA3
SHA256:F7A2769FAD0ACDE474A19779E5DC496B73B784241CF4C2C53F385F9792DE56C7
3004opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:8D2AF1B32332CBC3EB43E52363BC928D
SHA256:A8A64BE8EAB84CF198494B0773676DF0FB6CAB57E8DC1329EBCFDCD849EBDFE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
4024
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
3004
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3004
opera.exe
GET
200
193.231.32.154:80
http://subiecte.edu.ro/2019/bacalaureat/Subiecte_si_bareme/iunie/E_d_scris_04072019.zip
RO
compressed
4.22 Mb
unknown
4024
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
4024
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
4024
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
3004
opera.exe
GET
400
185.26.182.111:80
http://sitecheck2.opera.com/?host=subiecte.edu.ro&hdn=6A3n3GPE7qpZqLpf1FDPxA==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
opera.exe
185.26.182.93:443
sitecheck2.opera.com
Opera Software AS
whitelisted
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4024
AcroRd32.exe
2.21.36.203:443
armmf.adobe.com
GTT Communications Inc.
FR
suspicious
3004
opera.exe
193.231.32.154:80
subiecte.edu.ro
Agentia de Administrare a Retelei Nationale de Informatica pentru Educatie si Cercetare
RO
unknown
3004
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4024
AcroRd32.exe
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3004
opera.exe
185.26.182.111:80
sitecheck2.opera.com
Opera Software AS
whitelisted

DNS requests

Domain
IP
Reputation
subiecte.edu.ro
  • 193.231.32.154
unknown
sitecheck2.opera.com
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
whitelisted
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
whitelisted
armmf.adobe.com
  • 2.21.36.203
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://subiecte.edu.ro/2019/bacalaureat/Subiecte_si_bareme/iunie/E_d_scris_04072019.zip