Malware analysis Sam Nunnerley's message.pdf Malicious activity

Add for printing

File name:	Sam Nunnerley's message.pdf
Full analysis:	https://app.any.run/tasks/73689e86-3dcd-478f-b984-6a9bfa137e74
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 13:32:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc phishing phish-pdf connectwise rmm-tool screenconnect remote
Indicators:
MIME:	application/pdf
File info:	PDF document, version 1.4, 1 page(s)
MD5:	FD58338F290D8BBBF779EA1184DDCCF4
SHA1:	87833C1D270325D2C045917C997CCE6FC4B4E368
SHA256:	F1A5A11A707D5E72C2CA007EA289CE175D707509F48CB6D6D38900A00B133B81
SSDEEP:	1536:EBc539A4ekpvy/EWlfvDSHVjN+OE5Bb9U:R64ek6/E23DsVZiPby

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SCREENCONNECT has been detected (SURICATA)
  - ScreenConnect.ClientService.exe (PID: 6660)
SUSPICIOUS
- Executable content was dropped or overwritten
  - rundll32.exe (PID: 8976)
- Connects to unusual port
  - ScreenConnect.ClientService.exe (PID: 6660)
- Executes as Windows Service
  - ScreenConnect.ClientService.exe (PID: 6660)
  - VSSVC.exe (PID: 6004)
- Potential Corporate Privacy Violation
  - ScreenConnect.ClientService.exe (PID: 6660)
- Screenconnect has been detected
  - ScreenConnect.ClientService.exe (PID: 6660)
INFO
- Application launched itself
  - msedge.exe (PID: 5956)
  - Acrobat.exe (PID: 7436)
  - AcroCEF.exe (PID: 8028)
- Checks supported languages
  - identity_helper.exe (PID: 8996)
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)
  - msiexec.exe (PID: 8916)
  - msiexec.exe (PID: 1912)
- Manual execution by a user
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 300)
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 5956)
  - msedge.exe (PID: 7876)
  - msiexec.exe (PID: 5084)
  - msiexec.exe (PID: 1912)
- Process checks computer location settings
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)
- Create files in a temporary directory
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)
  - rundll32.exe (PID: 8976)
- Reads the computer name
  - msiexec.exe (PID: 1912)
  - msiexec.exe (PID: 8916)
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)
- CONNECTWISE has been detected
  - msiexec.exe (PID: 5084)
- Manages system restore points
  - SrTasks.exe (PID: 4220)
- Reads the machine GUID from the registry
  - MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe (PID: 8416)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.pdf	\|	Adobe Portable Document Format (100)

EXIF

PDF

PDFVersion:	1.4
Linearized:	No
PageCount:	1
TaggedPDF:	Yes
Language:	en-US
Creator:	Chromium
Producer:	Skia/PDF m133
CreateDate:	2025:05:15 00:38:19+00:00
ModifyDate:	2025:05:15 00:38:19+00:00

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

208

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

300

"C:\Users\admin\Downloads\MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe"

C:\Users\admin\Downloads\MSsharepointSetupx64_s_8DD8F776129D9EA-3-0_c_w_.ClientSetup.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\downloads\mssharepointsetupx64_s_8dd8f776129d9ea-3-0_c_w_.clientsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1056

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7764 --field-trial-handle=2408,i,578233166668564016,5540602689949082673,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1188

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2656 --field-trial-handle=1652,i,11435926583795308620,11537393089553773287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1276

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2028 --field-trial-handle=1652,i,11435926583795308620,11537393089553773287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1280

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1652,i,11435926583795308620,11537393089553773287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

1912

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2968

"C:\Program Files (x86)\ScreenConnect Client (08d4cd2697dd571c)\ScreenConnect.WindowsClient.exe" "RunRole" "8be7b022-a69c-44ec-bd33-f5adb8898069" "User"

C:\Program Files (x86)\ScreenConnect Client (08d4cd2697dd571c)\ScreenConnect.WindowsClient.exe

—

ScreenConnect.ClientService.exe

User:

admin

Company:

ScreenConnect Software

Integrity Level:

MEDIUM

Description:

ScreenConnect Client

Version:

25.2.4.9229

Modules

Images
c:\program files (x86)\screenconnect client (08d4cd2697dd571c)\screenconnect.windowsclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4220

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4424

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3576 --field-trial-handle=2408,i,578233166668564016,5540602689949082673,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5048

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

27 033

Read events

26 626

Write events

388

Delete events

Modification events


(PID) Process:	(7436) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	uLastAppLaunchTimeStamp
Value:
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral
Operation:	write	Name:	iNumAcrobatLaunches
Value: 7
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\NoTimeOut
Operation:	write	Name:	smailto
Value: 5900
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ToolsSearch
Operation:	write	Name:	iSearchHintIndex
Value: 3
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection
Operation:	write	Name:	bBlockDLLInjection
Value: 0
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	delete value	Name:	ProductInfoCache
Value:
(PID) Process:	(7580) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AdobeViewer
Operation:	write	Name:	EULAAcceptedForBrowser
Value: 1

Add for printing

Executable files

Suspicious files

460

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7580	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
7580	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal		binary
		MD5:6146F7CF95B36D2DA0E10AB6853B1DD4	SHA256:05D978FDC6DFACEF2AB36C8D5D9B308B944D91452A9386DBBCF13EA2DA2C76AB
8028	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
7580	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
7580	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2025-05-15 13-32-32-146.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
8028	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0		binary
		MD5:A9338302D6A49F414A5B78037BA8A247	SHA256:53457BF5D4A69C775E48D102C499DCFB7E8519FA018CA06BADF0565A2DD7E902
7580	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:E3DFF605FDE181C99AD0124033CF9C87	SHA256:6EAB19E21BD1B95E1E5713B0EBE20A90B678FF8962A9BE925053FD7007CF20E0
8028	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0		binary
		MD5:C92D2FCE5B1384C364FB3C66B441E615	SHA256:2091EFAF75EF8BF6DF40AC7F123B5CA7146A88DC06B7A514439EE2053AB752FD
8028	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0		binary
		MD5:23EA459076F7229C372B0A2320937C67	SHA256:95D8AB6DEC134BE5F2E222C4F36F888F15BBCC56317F008A159E7E24296FB68E
8028	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old		text
		MD5:8412AEEF2309E13FC954061D9BCEFFF4	SHA256:D062D7B5DF5F3BCB753E97AB5D1DCD9CF62058D9103DA383DBE1F482FC1D4644

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2240	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7756	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1747825846&P2=404&P3=2&P4=Zmq5K2cWyjsEsxg2UYq1wRKMXNYztPPt2AHOsDK1lobzf8XRNDgAUbiIC4U3UJwW3%2bOyF7gVYCZAOiXW3ZVp9A%3d%3d	unknown	—	—	whitelisted
7756	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1747825846&P2=404&P3=2&P4=Zmq5K2cWyjsEsxg2UYq1wRKMXNYztPPt2AHOsDK1lobzf8XRNDgAUbiIC4U3UJwW3%2bOyF7gVYCZAOiXW3ZVp9A%3d%3d	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7756	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1747825846&P2=404&P3=2&P4=Zmq5K2cWyjsEsxg2UYq1wRKMXNYztPPt2AHOsDK1lobzf8XRNDgAUbiIC4U3UJwW3%2bOyF7gVYCZAOiXW3ZVp9A%3d%3d	unknown	—	—	whitelisted
7436	Acrobat.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D	unknown	—	—	whitelisted
7756	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1747825846&P2=404&P3=2&P4=Zmq5K2cWyjsEsxg2UYq1wRKMXNYztPPt2AHOsDK1lobzf8XRNDgAUbiIC4U3UJwW3%2bOyF7gVYCZAOiXW3ZVp9A%3d%3d	unknown	—	—	whitelisted
7756	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/5cbc98ff-b69b-4fda-ad94-17ec2f9cf48b?P1=1747825846&P2=404&P3=2&P4=Zmq5K2cWyjsEsxg2UYq1wRKMXNYztPPt2AHOsDK1lobzf8XRNDgAUbiIC4U3UJwW3%2bOyF7gVYCZAOiXW3ZVp9A%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2104	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1276	AcroCEF.exe	92.123.16.204:443	geo2.adobe.com	AKAMAI-AS	AT	whitelisted
1276	AcroCEF.exe	34.193.227.236:443	p13n.adobe.io	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.185.110	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
geo2.adobe.com	92.123.16.204	whitelisted
p13n.adobe.io	34.193.227.236 107.22.247.231 54.144.73.197 18.207.85.246	whitelisted
login.live.com	40.126.31.131 20.190.159.71 40.126.31.2 20.190.159.130 20.190.159.128 40.126.31.69 20.190.159.73 40.126.31.71	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
config.edge.skype.com	13.107.43.16	whitelisted

Threats

PID	Process	Class	Message
7876	msedge.exe	Misc activity	ET INFO URL Shortening Service Domain in DNS Lookup (t .ly)
7876	msedge.exe	Misc activity	INFO [ANY.RUN] Possible short link service (t .ly)
7876	msedge.exe	Misc activity	INFO [ANY.RUN] Possible short link service (t .ly)
7876	msedge.exe	Misc activity	ET INFO URL Shortening Service Domain in DNS Lookup (t .ly)
6660	ScreenConnect.ClientService.exe	Potential Corporate Privacy Violation	REMOTE [ANY.RUN] ScreenConnect Server Response

Add for printing

No debug info

General Info

Sam Nunnerley's message.pdf

FD58338F290D8BBBF779EA1184DDCCF4

87833C1D270325D2C045917C997CCE6FC4B4E368

F1A5A11A707D5E72C2CA007EA289CE175D707509F48CB6D6D38900A00B133B81

1536:EBc539A4ekpvy/EWlfvDSHVjN+OE5Bb9U:R64ek6/E23DsVZiPby

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SCREENCONNECT has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Connects to unusual port

Executes as Windows Service

Potential Corporate Privacy Violation

Screenconnect has been detected

INFO

Application launched itself

Checks supported languages

Manual execution by a user

Executable content was dropped or overwritten

Process checks computer location settings

Create files in a temporary directory

Reads the computer name

CONNECTWISE has been detected

Manages system restore points

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

PDF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings