File name:

#TU PEDIDO-20241211-5844.pdf

Full analysis: https://app.any.run/tasks/dc19556e-76b9-40be-9780-4e9091dd8d12
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 18:32:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
casbaneiro
loader
Indicators:
MIME: application/pdf
File info: PDF document, version 1.3, 1 page(s)
MD5:

E28140980144385792F6B2396EE0A42A

SHA1:

D32B896437FFE5D323DF44DA93F59E2FCE7B27F0

SHA256:

EC162A3379BE8FBDBB17DDD195FA09ABC52D087A23F4D0C73C0EA221FCBC3397

SSDEEP:

48:6HP7pNGvdpIwWTZEKuQMfb+urf+sU4+G70+GjQl4J6k:6HjpSstfuQNu+D4V01QeJB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CASBANEIRO has been detected

      • cmd.exe (PID: 8788)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8620)
      • cmd.exe (PID: 8560)
      • cmd.exe (PID: 8544)
      • cmd.exe (PID: 8708)
      • cmd.exe (PID: 8712)
      • cmd.exe (PID: 8600)

    • Accesses name of a computer manufacturer via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses BIOS(Win32_BIOS, may evade sandboxes) via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Gets script object from HTTP/HTTPS (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 8788)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8932)
      • wscript.exe (PID: 8980)
      • cmd.exe (PID: 8560)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 8620)
      • wscript.exe (PID: 8732)
      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 8544)
      • cmd.exe (PID: 8712)
      • cmd.exe (PID: 8708)
      • cmd.exe (PID: 8600)
      • cmd.exe (PID: 8376)
      • cmd.exe (PID: 8804)
      • cmd.exe (PID: 748)
      • cmd.exe (PID: 8484)
      • wscript.exe (PID: 8916)
      • wscript.exe (PID: 8968)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 5540)
      • cmd.exe (PID: 8788)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8900)
      • mshta.exe (PID: 8424)
      • cmd.exe (PID: 8560)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 8620)
      • mshta.exe (PID: 6368)
      • cmd.exe (PID: 8544)
      • cmd.exe (PID: 8600)
      • mshta.exe (PID: 9124)
      • cmd.exe (PID: 8712)
      • cmd.exe (PID: 8376)
      • cmd.exe (PID: 8804)
      • cmd.exe (PID: 8708)

    • The process executes VB scripts

      • cmd.exe (PID: 8932)
      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 748)
      • cmd.exe (PID: 8484)

    • Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Application launched itself

      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8560)
      • cmd.exe (PID: 8620)
      • cmd.exe (PID: 8788)
      • cmd.exe (PID: 8708)
      • cmd.exe (PID: 8544)
      • cmd.exe (PID: 8600)
      • cmd.exe (PID: 8712)
      • cmd.exe (PID: 8804)
      • cmd.exe (PID: 8376)
      • cmd.exe (PID: 8640)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 8980)

    • Accesses language version of the operating system installed via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses domain name via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses operating system name via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Accesses WMI object caption (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Access Product Name via WMI (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 8980)
      • wscript.exe (PID: 8732)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7852)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 8732)

  • INFO

    • Application launched itself

      • Acrobat.exe (PID: 2956)
      • AcroCEF.exe (PID: 6856)
      • msedge.exe (PID: 6788)

    • The process uses the downloaded file

      • mshta.exe (PID: 5540)
      • msedge.exe (PID: 7848)
      • msedge.exe (PID: 6788)
      • cmd.exe (PID: 8932)
      • mshta.exe (PID: 8424)
      • WinRAR.exe (PID: 7852)
      • OpenWith.exe (PID: 8236)
      • mshta.exe (PID: 9124)
      • mshta.exe (PID: 6368)
      • msedge.exe (PID: 7472)
      • cmd.exe (PID: 8484)
      • cmd.exe (PID: 7644)

    • Sends debugging messages

      • Acrobat.exe (PID: 6240)
      • notepad++.exe (PID: 8856)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6788)
      • WinRAR.exe (PID: 7852)
      • OpenWith.exe (PID: 8236)

    • Checks supported languages

      • identity_helper.exe (PID: 8148)

    • Reads Environment values

      • identity_helper.exe (PID: 8148)

    • Reads the computer name

      • identity_helper.exe (PID: 8148)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5540)
      • mshta.exe (PID: 8424)
      • mshta.exe (PID: 9124)
      • mshta.exe (PID: 6368)

    • Checks proxy server information

      • mshta.exe (PID: 5540)
      • wscript.exe (PID: 8980)
      • mshta.exe (PID: 8424)
      • wscript.exe (PID: 8732)
      • mshta.exe (PID: 9124)
      • mshta.exe (PID: 6368)

    • Manual execution by a user

      • mshta.exe (PID: 8424)
      • notepad++.exe (PID: 8856)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5192)

    • The sample compiled with english language support

      • msedge.exe (PID: 5192)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 8236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion: 1.3
Linearized: No
PageCount: 1
PageLayout: OneColumn
Producer: PyFPDF 1.7.2 http://pyfpdf.googlecode.com/
CreateDate: 2024:12:11 01:42:56
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
111
Malicious processes
20
Suspicious processes
1

Behavior graph

Click at the process to see the details
start acrobat.exe acrobat.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs acrocef.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs mshta.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs #CASBANEIRO cmd.exe no specs conhost.exe no specs cmd.exe no specs #CASBANEIRO cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe msedge.exe no specs msedge.exe no specs mshta.exe msedge.exe no specs msedge.exe no specs #CASBANEIRO cmd.exe no specs conhost.exe no specs cmd.exe no specs #CASBANEIRO cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe msedge.exe no specs msedge.exe no specs notepad++.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs msedge.exe iexplore.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mshta.exe mshta.exe #CASBANEIRO cmd.exe no specs #CASBANEIRO cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs #CASBANEIRO cmd.exe no specs #CASBANEIRO cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748c:\windows\system32\cmd.exe /c start C:\Users\Public\qrcxdQGrNIUPfsD.vbsC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
968"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7644 --field-trial-handle=2132,i,14783774085514410767,17952103731011108343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7576 --field-trial-handle=2132,i,14783774085514410767,17952103731011108343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5556 --field-trial-handle=2132,i,14783774085514410767,17952103731011108343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1828"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2132,i,14783774085514410767,17952103731011108343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2660 --field-trial-handle=1344,i,4915583833688830571,12777759584228446656,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2600"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1720 --field-trial-handle=1344,i,4915583833688830571,12777759584228446656,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2788"C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\admin\Desktop\Archivo-wGdsTve-13122024183239.htaC:\Program Files\Internet Explorer\iexplore.exeOpenWith.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2956"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\Desktop\#TU PEDIDO-20241211-5844.pdf"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2996"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2660 --field-trial-handle=2132,i,14783774085514410767,17952103731011108343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
38 843
Read events
38 631
Write events
194
Delete events
18

Modification events

(PID) Process:(2956) Acrobat.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:writeName:DisplayName
Value:
Adobe Acrobat Reader Protected Mode
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:writeName:sProductGUID
Value:
4143524F5F5245534944554500
(PID) Process:(2956) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:delete valueName:ProductInfoCache
Value:
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement
Operation:writeName:bNormalExit
Value:
0
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement\cWindowsCurrent\cWin0\cTab0\cPathInfo
Operation:writeName:sDI
Value:
2F432F55736572732F61646D696E2F4465736B746F702F2354552050454449444F2D32303234313231312D353834342E70646600
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement\cWindowsCurrent\cWin0\cTab0\cPathInfo
Operation:writeName:tDIText
Value:
/C/Users/admin/Desktop/#TU PEDIDO-20241211-5844.pdf
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement\cWindowsCurrent\cWin0\cTab0\cPathInfo
Operation:writeName:aFS
Value:
DOS
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement\cWindowsCurrent\cWin0\cTab0
Operation:writeName:tfilename
Value:
#TU PEDIDO-20241211-5844.pdf
(PID) Process:(6240) Acrobat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\SessionManagement\cWindowsCurrent\cWin0
Operation:writeName:iTabCount
Value:
1
Executable files
5
Suspicious files
592
Text files
114
Unknown types
5

Dropped files

PID
Process
Filename
Type
6240Acrobat.exeC:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2024-12-13 18-32-31-623.logtext
MD5:460C6041966002D8384A18C895A65EB0
SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
6856AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.oldtext
MD5:2EF1F7C0782D1A46974286420D24F629
SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
6240Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
6240Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalbinary
MD5:05347B4D62D7C5B6F40D3A7359399124
SHA256:1B1C027648F4CAC12E26EC59B1E4A14A45A8DAAAE59242A7FE898BEFCDAFF802
6856AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RF1368ee.TMPtext
MD5:7383516745DEC1E86152192435F92D1F
SHA256:E22D34BBD915EEB277D4F4138D176EACE5577CF035EF7C2C80A4BC4D9B6C0E1D
6856AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.oldtext
MD5:8412AEEF2309E13FC954061D9BCEFFF4
SHA256:D062D7B5DF5F3BCB753E97AB5D1DCD9CF62058D9103DA383DBE1F482FC1D4644
6856AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.oldtext
MD5:EB1590F2607E1CE46DBF6A521F772EA0
SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
6240Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEventsbinary
MD5:326E59C66B2A241B9697AAEE0210A635
SHA256:B26DA023EF1FA3754EDBE3B30C2A9E3FB115752E955C506DF1EF85B02055584A
6240Acrobat.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6240ps
MD5:366B140BAFC863B7E366AA1E51604759
SHA256:CBC8B288DBD2C72432081CF33CEF431572A94C7FB89DBCD59973B99E3871814E
6856AcroCEF.exeC:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF1367f4.TMPtext
MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E
SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
62
TCP/UDP connections
133
DNS requests
105
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2956
Acrobat.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
5540
mshta.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5540
mshta.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
8256
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5540
mshta.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
unknown
5540
mshta.exe
GET
200
142.250.185.195:80
http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEFb0R%2Bwhr1bcEEYbSW0kNmI%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3884
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.179
  • 104.126.37.139
  • 104.126.37.146
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.129
  • 104.126.37.136
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.169
  • 104.126.37.185
  • 104.126.37.163
  • 104.126.37.168
  • 104.126.37.171
  • 104.126.37.184
  • 104.126.37.162
  • 104.126.37.177
  • 104.126.37.137
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.140
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.134
whitelisted
go.microsoft.com
  • 23.213.166.81
  • 184.28.89.167
whitelisted
geo2.adobe.com
  • 23.213.164.167
whitelisted
p13n.adobe.io
  • 34.237.241.83
  • 50.16.47.176
  • 54.224.241.105
  • 18.213.11.84
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
#TU PEDIDO-20241211-5844.pdf