Malware analysis f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc Malicious activity

Add for printing

File name:	f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc
Full analysis:	https://app.any.run/tasks/78608070-2df5-4a70-a2fe-a60a093c8975
Verdict:	Malicious activity
Analysis date:	December 03, 2024, 08:40:01
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	grimresources
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines (22772), with CRLF line terminators
MD5:	1E7E6A3F8E9C66204109F5F8952C9DE2
SHA1:	3248685DB1439172AE323041380CB55C3F22CD95
SHA256:	F555F39B7A32994AB52869FC49B03F87C426DB8F18800C1497000D76FB0E2552
SSDEEP:	24576:GnQWDxzUUEr1NKEsP6pWXkX3BO6FTdYaxT15g+jPg3oaAmS91uk1Y4Hj4Qh0h+Wq:oBDxzU5KM4K3s6FP5grSbYQO761

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GRIMRESOURCES has been detected (YARA)
  - mmc.exe (PID: 1580)
SUSPICIOUS
- Connects to unusual port
  - GUP.exe (PID: 3812)
- Executable content was dropped or overwritten
  - mmc.exe (PID: 1580)
INFO
- Application launched itself
  - Acrobat.exe (PID: 5008)
  - AcroCEF.exe (PID: 6248)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.svg	\|	Scalable Vector Graphics (var.3) (52.7)
.smi	\|	Synchronized Multimedia Integration Language (18.1)
.xml	\|	Generic XML (ASCII) (18.1)
.html	\|	HyperText Markup Language (10.9)

EXIF

XMP

MMC_ConsoleFileConsoleVersion:	3
MMC_ConsoleFileProgramMode:	UserSDI
MMC_ConsoleFileConsoleFileID:	a7bf8102-12e1-4226-aa6a-2ba71f6249d0
MMC_ConsoleFileFrameStateShowStatusBar:	-
MMC_ConsoleFileFrameStateWindowPlacementShowCommand:	SW_HIDE
MMC_ConsoleFileFrameStateWindowPlacementPointName:	MinPosition
MMC_ConsoleFileFrameStateWindowPlacementPointX:	-1
MMC_ConsoleFileFrameStateWindowPlacementPointY:	-1
MMC_ConsoleFileFrameStateWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileFrameStateWindowPlacementRectangleTop:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleBottom:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleLeft:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleRight:	-
MMC_ConsoleFileViewsViewId:	1
MMC_ConsoleFileViewsViewScopePaneWidth:	-
MMC_ConsoleFileViewsViewActionsPaneWidth:	-1
MMC_ConsoleFileViewsViewBookMarkName:	RootNode
MMC_ConsoleFileViewsViewBookMarkNodeID:	1
MMC_ConsoleFileViewsViewWindowPlacementWpfRestoretomaximized:
MMC_ConsoleFileViewsViewWindowPlacementShowCommand:	SW_HIDE
MMC_ConsoleFileViewsViewWindowPlacementPointName:	MinPosition
MMC_ConsoleFileViewsViewWindowPlacementPointX:	-1
MMC_ConsoleFileViewsViewWindowPlacementPointY:	-1
MMC_ConsoleFileViewsViewWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileViewsViewWindowPlacementRectangleTop:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleBottom:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleLeft:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleRight:	-
MMC_ConsoleFileViewsViewViewOptionsViewMode:	Report
MMC_ConsoleFileViewsViewViewOptionsScopePaneVisible:
MMC_ConsoleFileViewsViewViewOptionsActionsPaneVisible:	-
MMC_ConsoleFileViewsViewViewOptionsDescriptionBarVisible:	-
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn0Width:	200
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn1Width:	-
MMC_ConsoleFileVisualAttributesIconIndex:	13
MMC_ConsoleFileVisualAttributesIconFile:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MMC_ConsoleFileVisualAttributesIconImageName:	Large
MMC_ConsoleFileVisualAttributesIconImageBinaryRefIndex:	2
MMC_ConsoleFileFavoritesFavoriteType:	Group
MMC_ConsoleFileFavoritesFavoriteStringName:	Name
MMC_ConsoleFileFavoritesFavoriteStringId:	1
MMC_ConsoleFileFavoritesFavoriteFavorites:	-
MMC_ConsoleFileScopeTreeSnapinCacheSnapinClsid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeSnapinCacheSnapinAllExtensionsEnabled:
MMC_ConsoleFileScopeTreeNodesNodeId:	1
MMC_ConsoleFileScopeTreeNodesNodeImageIdx:	-
MMC_ConsoleFileScopeTreeNodesNodeClsid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodePreload:
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeId:	13
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeImageIdx:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeClsid:	{C96401D1-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeNodesNodePreload:
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeNodes:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeStringName:	Name
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeStringId:	38
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataGuid:	{C96401D1-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataStreamBinaryRefIndex:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponents:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentViewID:	1
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentGuid:	{C96401CF-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeStringName:	Name
MMC_ConsoleFileScopeTreeNodesNodeStringId:	10
MMC_ConsoleFileScopeTreeNodesNodeComponentDatasComponentDataGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeComponentDatasComponentDataGuid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeComponents:	-
MMC_ConsoleFileConsoleTaskpads:	-
MMC_ConsoleFileViewSettingsCache:	-
MMC_ConsoleFileColumnSettingsCache:	-
MMC_ConsoleFileStringTablesIdentifierPoolAbsoluteMin:	1
MMC_ConsoleFileStringTablesIdentifierPoolAbsoluteMax:	65535
MMC_ConsoleFileStringTablesIdentifierPoolNextAvailable:	40
MMC_ConsoleFileStringTablesStringTableGuid:	{71E5B33E-1064-11D2-808F-0000F875A9CE}
MMC_ConsoleFileStringTablesStringTableStringsStringId:	1
MMC_ConsoleFileStringTablesStringTableStringsStringRefs:	1
MMC_ConsoleFileStringTablesStringTableStringsString:	Favorites
MMC_ConsoleFileBinaryStorageBinary:	(Binary data 28 bytes, use -b option to extract)
MMC_ConsoleFileBinaryStorageBinaryName:	CONSOLE_FILE_ICON_LARGE

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1580

"C:\WINDOWS\system32\mmc.exe" C:\Users\admin\Desktop\f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

C:\Windows\System32\mmc.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Management Console

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2168

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 "C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf"

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe Acrobat

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3812

"C:\Program Files\Cloudflare\GUP.exe" t 8.8.8.8

C:\Program Files\Cloudflare\GUP.exe

mmc.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

HIGH

Description:

WinGup for Notepad++

Exit code:

Version:

5.3

Modules

Images
c:\program files\cloudflare\gup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

5008

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf"

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

mmc.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

HIGH

Description:

Adobe Acrobat

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5628

"C:\WINDOWS\system32\mmc.exe" C:\Users\admin\Desktop\f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

C:\Windows\System32\mmc.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Management Console

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll

6248

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6340

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1508 --field-trial-handle=1612,i,17157022830096921681,5322769165359790020,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6432

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1612,i,17157022830096921681,5322769165359790020,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6440

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1612,i,17157022830096921681,5322769165359790020,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6448

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1612,i,17157022830096921681,5322769165359790020,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

11 138

Read events

11 113

Write events

Delete events

Modification events


(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(1580) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(5008) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(5008) Acrobat.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2168) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(2168) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0

Add for printing

Executable files

Suspicious files

142

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1580	mmc.exe	C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf		pdf
		MD5:1D6FA884E426FA4E4C7ACEC2F19D5941	SHA256:8807FFEB0261DB31FE5DD59043F27AE27F39B7460C4AAADB6E8080F34670C8AF
2168	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
1580	mmc.exe	C:\Program Files\Cloudflare\libcurl.dll		executable
		MD5:D59BF02E2F9489BFF456E4FE4D3A6C58	SHA256:78C4F01DA5086A410BDC63CB62CD0F61712668BEC3EBA6EFD5BA2F6D9E543FB6
6248	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old~RF137487.TMP		text
		MD5:ED7D8AAE48211E2BFAF557130572C62A	SHA256:A5CF8D8ADC86DCA357396AF7E3A24A116072D5C1E5552EEB76601AE2673DED6E
1580	mmc.exe	C:\Program Files\Cloudflare\GUP.exe		executable
		MD5:6D3904CD8ECC9127DFD7E0A5C4FB9098	SHA256:D766E852367B4306548DD3DA8ABE93175732AF2052369155C48D958556DCCDE4
2168	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
2168	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2024-12-03 08-40-13-753.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
6248	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old		text
		MD5:2EF1F7C0782D1A46974286420D24F629	SHA256:D3A9BB7E09E1F4B0C41FF7808E930DDACF5DB3BACD98ECCF5BC7DB4863D1FCF5
3812	GUP.exe	C:\Windows\SysWOW64\gup.xml		xml
		MD5:116878A2647BCC21FA7EE6D9EBF3126C	SHA256:3A8C12E021D292232AEFBC93985316902E3901C455E88330ACEDF56C358AA951
2168	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:D22388AFF0697F2BE8E6FCDF90C02AF2	SHA256:FC7D51B9473591E3DE10663A5D52EE36B97FDDA76228553F13B607AB6FE9F5D5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5008	Acrobat.exe	GET	404	2.20.245.141:80	http://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3812	GUP.exe	192.168.57.119:6000	—	—	—	unknown
3976	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2992	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6440	AcroCEF.exe	2.19.228.131:443	geo2.adobe.com	AKAMAI-AS	FR	whitelisted
6440	AcroCEF.exe	34.237.241.83:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
6440	AcroCEF.exe	95.101.148.135:443	armmf.adobe.com	Akamai International B.V.	NL	whitelisted
5008	Acrobat.exe	2.20.245.141:443	acroipm2.adobe.com	Akamai International B.V.	SE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	2.23.209.156 2.23.209.159 2.23.209.152 2.23.209.150 2.23.209.158 2.23.209.153 2.23.209.144 2.23.209.157 2.23.209.154	whitelisted
google.com	142.250.181.238	whitelisted
geo2.adobe.com	2.19.228.131	whitelisted
p13n.adobe.io	34.237.241.83 54.224.241.105 18.213.11.84 50.16.47.176	whitelisted
armmf.adobe.com	95.101.148.135	whitelisted
acroipm2.adobe.com	2.20.245.141 2.20.245.133	whitelisted
login.live.com	40.126.31.73 20.190.159.73 20.190.159.71 40.126.31.67 20.190.159.0 40.126.31.71 20.190.159.23 20.190.159.68	whitelisted
go.microsoft.com	2.19.230.153	whitelisted
arc.msn.com	20.223.36.55	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

1E7E6A3F8E9C66204109F5F8952C9DE2

3248685DB1439172AE323041380CB55C3F22CD95

F555F39B7A32994AB52869FC49B03F87C426DB8F18800C1497000D76FB0E2552

24576:GnQWDxzUUEr1NKEsP6pWXkX3BO6FTdYaxT15g+jPg3oaAmS91uk1Y4Hj4Qh0h+Wq:oBDxzU5KM4K3s6FP5grSbYQO761

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GRIMRESOURCES has been detected (YARA)

SUSPICIOUS

Connects to unusual port

Executable content was dropped or overwritten

INFO

Application launched itself

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings