File name: | buvyoem41.pdf |
Full analysis: | https://app.any.run/tasks/5e179770-0319-4107-a888-6e2c9f67be49 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 07:11:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/pdf |
File info: | PDF document, version 1.6 |
MD5: | 8F419B0C7AF82965B732E6FB14D879B8 |
SHA1: | 94A751760CE3C21E5E7585C85DD64BF113357E1F |
SHA256: | B3357878F5B0C500BEC0A7465228694F81911913DE4FC421E1517CC8C6102EA2 |
SSDEEP: | 192:m5tG6eVG5yHK2JEFXO2IOwsfD90Lk0sAaxrTQu4uWVtK3ZDoE/mwfxOfC9oiMMna:m5t6GIK2uB7IOz0Lk0sbxrTQujWVtKJa |
| | Adobe Portable Document Format (100) |
Linearized: | No |
---|---|
PDFVersion: | 1.6 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3216 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\buvyoem41.pdf | C:\Windows\System32\runas.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 3221225786 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1068 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | Explorer.EXE | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: HIGH Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
2532 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 20.13.20064.405839 Modules
| |||||||||||||||
3272 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | AcroRd32.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
| |||||||||||||||
3832 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16668348921656478821 --renderer-client-id=2 --mojo-platform-channel-handle=1192 --allow-no-sandbox-job /prefetch:1 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 20.13.20064.405839 Modules
| |||||||||||||||
4008 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=14953870019807433440 --mojo-platform-channel-handle=1220 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 1 Version: 20.13.20064.405839 Modules
| |||||||||||||||
2036 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=475830923001629153 --mojo-platform-channel-handle=1384 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 1 Version: 20.13.20064.405839 Modules
| |||||||||||||||
2916 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=65101939544802883 --mojo-platform-channel-handle=1388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 1 Version: 20.13.20064.405839 Modules
| |||||||||||||||
2124 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11043442981227105823 --renderer-client-id=6 --mojo-platform-channel-handle=1484 --allow-no-sandbox-job /prefetch:1 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
| |||||||||||||||
3032 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1072,1136040790904190169,3508059142931939195,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9273804953092537124 --renderer-client-id=7 --mojo-platform-channel-handle=1612 --allow-no-sandbox-job /prefetch:1 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 20.13.20064.405839 Modules
|
(PID) Process: | (1068) AcroRd32.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789 |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral |
Operation: | write | Name: | iNumReaderLaunches |
Value: 2 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog |
Operation: | write | Name: | bShowUpdateFTE |
Value: 1 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcome |
Operation: | write | Name: | bIsAcrobatUpdated |
Value: 1 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\HomeWelcomeFirstMileReader |
Operation: | write | Name: | iCardCountShown |
Value: 2 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\FTEDialog |
Operation: | delete value | Name: | iLastCardShown |
Value: 0 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement |
Operation: | write | Name: | bNormalExit |
Value: 0 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent\cWin0 |
Operation: | write | Name: | iTabCount |
Value: 0 | |||
(PID) Process: | (2532) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SessionManagement\cWindowsCurrent |
Operation: | write | Name: | iWinCount |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0 | binary | |
MD5:7FA1187F93F44FE134E8927199C2CA70 | SHA256:E8CA2195708DA84C227FACAF52E9700CB675F82B18FDA850534F3C6AD2A28EC1 | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0 | binary | |
MD5:806059324B11C6C045E2C904B21E9B64 | SHA256:734F2F126784C01C8710ED7FA761BC8804171A2222A5F504E1D79E6D3B07294A | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0 | binary | |
MD5:7F52051D1B434EAA1FA86BFCD7C8022A | SHA256:1B72433999F24C049BFDBDAD8C0925BA75F6EA3BEBA7F31A22ABD869D2369FA1 | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0 | binary | |
MD5:93FBC0B5ACA3D17FA257D0EA5CC09ECE | SHA256:71C467CE742EEDF41159545104D574002289FE6A922B0696B3F9A3090A7D0696 | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0 | binary | |
MD5:2A9FAB75A27FDB9305828EB8877EEFBC | SHA256:C7AC3CD46D1E2E7CEA9A640E1A7CBDCD0E111888F99B49DE1AD8BA92A5FF46AF | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0 | binary | |
MD5:CECF7CD5FA185FB2F19C6FE6F9D6236E | SHA256:385D94172CF92F0362E8F6E3350B0F25CD14881622979F7E78DC22B08A5A7F6A | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0 | binary | |
MD5:1B1C0FC8C07FD6D7727A9D4274DC0A32 | SHA256:88EF07C70A3DF3277E197F56606358D88464AC506C13CF8F63365FDF9CDEF4A2 | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0 | binary | |
MD5:349F32BBD5913F85CE1A3B89B4355827 | SHA256:E957A7E87579E6F2B52498ACA2D6DA44868698686BE95E5844E97394A2268572 | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0 | binary | |
MD5:19A9CFB6B8C77DDC4B39D4049D26B62B | SHA256:63F4CB306433F470A2702A4ED24E93CB49C61DEA8DCC59B6ABE7CA3BC704E64C | |||
3272 | RdrCEF.exe | C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0 | binary | |
MD5:2641439EBA76FBCA6F3503B7EA57F3BA | SHA256:D713F174D12BFA7F55C317D769117F49FF038F98A282410AD4A5FB2D14A1EE91 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1068 | AcroRd32.exe | GET | 404 | 92.123.195.41:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7322b08da995a2b4 | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 92.123.194.153:80 | http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/279_20_13_20064.zip | unknown | xml | 341 b | whitelisted |
3600 | AdobeARM.exe | GET | 404 | 2.18.233.74:80 | http://armmf.adobe.com/arm-manifests/win/ReaderDCManifest3.msi | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 92.123.194.153:80 | http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/277_20_13_20064.zip | unknown | xml | 341 b | whitelisted |
1096 | svchost.exe | GET | 404 | 8.250.197.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f6177794a77d6985 | US | xml | 341 b | whitelisted |
3600 | AdobeARM.exe | GET | 404 | 2.18.233.74:80 | http://armmf.adobe.com/arm-manifests/win/ServicesUpdater/DC/RdrManifest3.msi | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 92.123.194.153:80 | http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 92.123.194.153:80 | http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/280_20_13_20064.zip | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 92.123.194.153:80 | http://acroipm2.adobe.com/20/rdr/ENU/win/nooem/none/consumer/281_20_13_20064.zip | unknown | xml | 341 b | whitelisted |
1068 | AcroRd32.exe | GET | 404 | 8.253.129.204:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d8e5f399b50e38d0 | US | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3272 | RdrCEF.exe | 104.102.28.179:443 | geo2.adobe.com | Akamai Technologies, Inc. | US | unknown |
— | — | 34.237.241.83:443 | p13n.adobe.io | Amazon.com, Inc. | US | unknown |
— | — | 104.79.88.64:443 | armmf.adobe.com | Time Warner Cable Internet LLC | US | suspicious |
— | — | 104.102.28.179:443 | geo2.adobe.com | Akamai Technologies, Inc. | US | unknown |
1068 | AcroRd32.exe | 92.123.195.41:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
1068 | AcroRd32.exe | 92.123.194.153:443 | acroipm2.adobe.com | Akamai International B.V. | — | suspicious |
1068 | AcroRd32.exe | 8.253.129.204:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | unknown |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3600 | AdobeARM.exe | 8.250.197.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
1068 | AcroRd32.exe | 92.123.194.153:80 | acroipm2.adobe.com | Akamai International B.V. | — | suspicious |
Domain | IP | Reputation |
---|---|---|
geo2.adobe.com |
| whitelisted |
p13n.adobe.io |
| whitelisted |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
— | — | Potentially Bad Traffic | ET INFO TLS Handshake Failure |