Malware analysis f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc Malicious activity

Add for printing

File name:	f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc
Full analysis:	https://app.any.run/tasks/d48220ab-91ab-45aa-995e-5efd1e35ffd2
Verdict:	Malicious activity
Analysis date:	December 03, 2024, 08:32:13
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	grimresources
Indicators:
MIME:	text/xml
File info:	XML 1.0 document, ASCII text, with very long lines (22772), with CRLF line terminators
MD5:	1E7E6A3F8E9C66204109F5F8952C9DE2
SHA1:	3248685DB1439172AE323041380CB55C3F22CD95
SHA256:	F555F39B7A32994AB52869FC49B03F87C426DB8F18800C1497000D76FB0E2552
SSDEEP:	24576:GnQWDxzUUEr1NKEsP6pWXkX3BO6FTdYaxT15g+jPg3oaAmS91uk1Y4Hj4Qh0h+Wq:oBDxzU5KM4K3s6FP5grSbYQO761

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Creates a new folder (SCRIPT)
  - mmc.exe (PID: 4128)
- Uses base64 encoding (SCRIPT)
  - mmc.exe (PID: 4128)
- Detects the decoding of a binary file from Base64 (SCRIPT)
  - mmc.exe (PID: 4128)
- GRIMRESOURCES has been detected (YARA)
  - mmc.exe (PID: 4128)
SUSPICIOUS
- Creates FileSystem object to access computer's file system (SCRIPT)
  - mmc.exe (PID: 4128)
- Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
  - mmc.exe (PID: 4128)
- Runs shell command (SCRIPT)
  - mmc.exe (PID: 4128)
- Writes binary data to a Stream object (SCRIPT)
  - mmc.exe (PID: 4128)
- Sets XML DOM element text (SCRIPT)
  - mmc.exe (PID: 4128)
- Saves data to a binary file (SCRIPT)
  - mmc.exe (PID: 4128)
- Executable content was dropped or overwritten
  - mmc.exe (PID: 4128)
- Connects to unusual port
  - GUP.exe (PID: 4540)
INFO
- Reads security settings of Internet Explorer
  - mmc.exe (PID: 4128)
- Application launched itself
  - Acrobat.exe (PID: 5032)
  - AcroCEF.exe (PID: 2092)
- Checks supported languages
  - GUP.exe (PID: 4540)
- Reads the computer name
  - GUP.exe (PID: 4540)
- Sends debugging messages
  - Acrobat.exe (PID: 4980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.svg	\|	Scalable Vector Graphics (var.3) (52.7)
.smi	\|	Synchronized Multimedia Integration Language (18.1)
.xml	\|	Generic XML (ASCII) (18.1)
.html	\|	HyperText Markup Language (10.9)

EXIF

XMP

MMC_ConsoleFileConsoleVersion:	3
MMC_ConsoleFileProgramMode:	UserSDI
MMC_ConsoleFileConsoleFileID:	a7bf8102-12e1-4226-aa6a-2ba71f6249d0
MMC_ConsoleFileFrameStateShowStatusBar:	-
MMC_ConsoleFileFrameStateWindowPlacementShowCommand:	SW_HIDE
MMC_ConsoleFileFrameStateWindowPlacementPointName:	MinPosition
MMC_ConsoleFileFrameStateWindowPlacementPointX:	-1
MMC_ConsoleFileFrameStateWindowPlacementPointY:	-1
MMC_ConsoleFileFrameStateWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileFrameStateWindowPlacementRectangleTop:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleBottom:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleLeft:	-
MMC_ConsoleFileFrameStateWindowPlacementRectangleRight:	-
MMC_ConsoleFileViewsViewId:	1
MMC_ConsoleFileViewsViewScopePaneWidth:	-
MMC_ConsoleFileViewsViewActionsPaneWidth:	-1
MMC_ConsoleFileViewsViewBookMarkName:	RootNode
MMC_ConsoleFileViewsViewBookMarkNodeID:	1
MMC_ConsoleFileViewsViewWindowPlacementWpfRestoretomaximized:
MMC_ConsoleFileViewsViewWindowPlacementShowCommand:	SW_HIDE
MMC_ConsoleFileViewsViewWindowPlacementPointName:	MinPosition
MMC_ConsoleFileViewsViewWindowPlacementPointX:	-1
MMC_ConsoleFileViewsViewWindowPlacementPointY:	-1
MMC_ConsoleFileViewsViewWindowPlacementRectangleName:	NormalPosition
MMC_ConsoleFileViewsViewWindowPlacementRectangleTop:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleBottom:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleLeft:	-
MMC_ConsoleFileViewsViewWindowPlacementRectangleRight:	-
MMC_ConsoleFileViewsViewViewOptionsViewMode:	Report
MMC_ConsoleFileViewsViewViewOptionsScopePaneVisible:
MMC_ConsoleFileViewsViewViewOptionsActionsPaneVisible:	-
MMC_ConsoleFileViewsViewViewOptionsDescriptionBarVisible:	-
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn0Width:	200
MMC_ConsoleFileViewsViewViewOptionsDefaultColumn1Width:	-
MMC_ConsoleFileVisualAttributesIconIndex:	13
MMC_ConsoleFileVisualAttributesIconFile:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MMC_ConsoleFileVisualAttributesIconImageName:	Large
MMC_ConsoleFileVisualAttributesIconImageBinaryRefIndex:	2
MMC_ConsoleFileFavoritesFavoriteType:	Group
MMC_ConsoleFileFavoritesFavoriteStringName:	Name
MMC_ConsoleFileFavoritesFavoriteStringId:	1
MMC_ConsoleFileFavoritesFavoriteFavorites:	-
MMC_ConsoleFileScopeTreeSnapinCacheSnapinClsid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeSnapinCacheSnapinAllExtensionsEnabled:
MMC_ConsoleFileScopeTreeNodesNodeId:	1
MMC_ConsoleFileScopeTreeNodesNodeImageIdx:	-
MMC_ConsoleFileScopeTreeNodesNodeClsid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodePreload:
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeId:	13
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeImageIdx:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeClsid:	{C96401D1-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeNodesNodePreload:
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeNodes:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeStringName:	Name
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeStringId:	38
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataGuid:	{C96401D1-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentDatasComponentDataStreamBinaryRefIndex:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponents:	-
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentViewID:	1
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeNodesNodeComponentsComponentGuid:	{C96401CF-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeStringName:	Name
MMC_ConsoleFileScopeTreeNodesNodeStringId:	10
MMC_ConsoleFileScopeTreeNodesNodeComponentDatasComponentDataGuidName:	Snapin
MMC_ConsoleFileScopeTreeNodesNodeComponentDatasComponentDataGuid:	{C96401CC-0E17-11D3-885B-00C04F72C717}
MMC_ConsoleFileScopeTreeNodesNodeComponents:	-
MMC_ConsoleFileConsoleTaskpads:	-
MMC_ConsoleFileViewSettingsCache:	-
MMC_ConsoleFileColumnSettingsCache:	-
MMC_ConsoleFileStringTablesIdentifierPoolAbsoluteMin:	1
MMC_ConsoleFileStringTablesIdentifierPoolAbsoluteMax:	65535
MMC_ConsoleFileStringTablesIdentifierPoolNextAvailable:	40
MMC_ConsoleFileStringTablesStringTableGuid:	{71E5B33E-1064-11D2-808F-0000F875A9CE}
MMC_ConsoleFileStringTablesStringTableStringsStringId:	1
MMC_ConsoleFileStringTablesStringTableStringsStringRefs:	1
MMC_ConsoleFileStringTablesStringTableStringsString:	Favorites
MMC_ConsoleFileBinaryStorageBinary:	(Binary data 28 bytes, use -b option to extract)
MMC_ConsoleFileBinaryStorageBinaryName:	CONSOLE_FILE_ICON_LARGE

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2092

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16514043

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2440

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1464 --field-trial-handle=1588,i,13967554275598153531,4105123642290805241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Exit code:

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3508

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1588,i,13967554275598153531,4105123642290805241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3884

"C:\WINDOWS\system32\mmc.exe" C:\Users\admin\Desktop\f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

C:\Windows\System32\mmc.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Management Console

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll

3952

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2124 --field-trial-handle=1588,i,13967554275598153531,4105123642290805241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

—

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4128

"C:\WINDOWS\system32\mmc.exe" C:\Users\admin\Desktop\f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

C:\Windows\System32\mmc.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Management Console

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4540

"C:\Program Files\Cloudflare\GUP.exe" t 8.8.8.8

C:\Program Files\Cloudflare\GUP.exe

mmc.exe

User:

admin

Company:

Don HO don.h@free.fr

Integrity Level:

HIGH

Description:

WinGup for Notepad++

Exit code:

Version:

5.3

Modules

Images
c:\program files\cloudflare\gup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

4980

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1 "C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf"

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

—

Acrobat.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe Acrobat

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5032

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf"

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

mmc.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

HIGH

Description:

Adobe Acrobat

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrobat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5732

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1588,i,13967554275598153531,4105123642290805241,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

AcroCEF.exe

User:

admin

Company:

Adobe Systems Incorporated

Integrity Level:

LOW

Description:

Adobe AcroCEF

Version:

23.1.20093.0

Modules

Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

11 157

Read events

11 132

Write events

Delete events

Modification events


(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids
Operation:	write	Name:	Acrobat.Document.DC
Value:
(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(4128) mmc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(5032) Acrobat.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934
Operation:	write	Name:	DisplayName
Value: Adobe Acrobat Reader Protected Mode
(PID) Process:	(5032) Acrobat.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatchercpp789
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4980) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\ExitSection
Operation:	write	Name:	bLastExitNormal
Value: 0
(PID) Process:	(4980) Acrobat.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVEntitlement
Operation:	write	Name:	bSynchronizeOPL
Value: 0

Add for printing

Executable files

Suspicious files

143

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4128	mmc.exe	C:\Program Files\Cloudflare\libcurl.dll		executable
		MD5:D59BF02E2F9489BFF456E4FE4D3A6C58	SHA256:78C4F01DA5086A410BDC63CB62CD0F61712668BEC3EBA6EFD5BA2F6D9E543FB6
2092	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF1374d5.TMP		text
		MD5:D012E5B4EB91B61F6E8AE2F8EC3C623E	SHA256:1BDA750084F20306722008016420E1912BA608CA8EFB9C661F7E7EFCF5E89673
4980	Acrobat.exe	C:\Users\admin\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.1.20093.6 2024-12-03 08-32-26-591.log		text
		MD5:460C6041966002D8384A18C895A65EB0	SHA256:C83EC6E8FB3EC62481289C033238C1D9B08DB8076EAAD304099FD7A7F594F1B9
4980	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json		binary
		MD5:837C1211E392A24D64C670DC10E8DA1B	SHA256:8013AC030684B86D754BBFBAB8A9CEC20CAA4DD9C03022715FF353DC10E14031
4980	Acrobat.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING		binary
		MD5:DC84B0D741E5BEAE8070013ADDCC8C28	SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
4128	mmc.exe	C:\Users\admin\AppData\Local\Temp\关于组织参加第八届“强网杯”全国网络安全挑战赛的通知（11月2日至3日举行线上赛）.pdf		pdf
		MD5:1D6FA884E426FA4E4C7ACEC2F19D5941	SHA256:8807FFEB0261DB31FE5DD59043F27AE27F39B7460C4AAADB6E8080F34670C8AF
4128	mmc.exe	C:\Program Files\Cloudflare\GUP.exe		executable
		MD5:6D3904CD8ECC9127DFD7E0A5C4FB9098	SHA256:D766E852367B4306548DD3DA8ABE93175732AF2052369155C48D958556DCCDE4
2092	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old		text
		MD5:EB1590F2607E1CE46DBF6A521F772EA0	SHA256:4355D9A8A115BA4E41178B456A8A5578846EB1F7EC9509249C2405F758F31731
2092	AcroCEF.exe	C:\Users\admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old~RF1375cf.TMP		text
		MD5:7383516745DEC1E86152192435F92D1F	SHA256:E22D34BBD915EEB277D4F4138D176EACE5577CF035EF7C2C80A4BC4D9B6C0E1D
4540	GUP.exe	C:\Windows\SysWOW64\gup.xml		xml
		MD5:116878A2647BCC21FA7EE6D9EBF3126C	SHA256:3A8C12E021D292232AEFBC93985316902E3901C455E88330ACEDF56C358AA951

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5032	Acrobat.exe	GET	404	2.19.126.143:80	http://acroipm2.adobe.com/23/rdr_64x/ENU/win/nooem/none/consumer/message.zip	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4540	GUP.exe	192.168.57.119:6000	—	—	—	unknown
880	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3976	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5732	AcroCEF.exe	23.32.184.135:443	geo2.adobe.com	AKAMAI-AS	BR	whitelisted
5732	AcroCEF.exe	52.22.41.97:443	p13n.adobe.io	AMAZON-AES	US	whitelisted
5732	AcroCEF.exe	95.101.148.135:443	armmf.adobe.com	Akamai International B.V.	NL	whitelisted
5032	Acrobat.exe	2.19.126.143:443	acroipm2.adobe.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.186.78	whitelisted
geo2.adobe.com	23.32.184.135	whitelisted
p13n.adobe.io	52.22.41.97 52.6.155.20 3.219.243.226 3.233.129.217	whitelisted
armmf.adobe.com	95.101.148.135	whitelisted
acroipm2.adobe.com	2.19.126.143 2.19.126.149	whitelisted
www.bing.com	92.123.104.10 92.123.104.16 92.123.104.6 92.123.104.14 92.123.104.9 92.123.104.12 92.123.104.17 92.123.104.11 92.123.104.15	whitelisted
login.live.com	20.190.160.17 40.126.32.76 40.126.32.136 40.126.32.133 40.126.32.74 20.190.160.20 20.190.160.14 40.126.32.134	whitelisted
go.microsoft.com	23.32.186.57	whitelisted
arc.msn.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

f555f39b7a32994ab52869fc49b03f87c426db8f18800c1497000d76fb0e2552.msc

1E7E6A3F8E9C66204109F5F8952C9DE2

3248685DB1439172AE323041380CB55C3F22CD95

F555F39B7A32994AB52869FC49B03F87C426DB8F18800C1497000D76FB0E2552

24576:GnQWDxzUUEr1NKEsP6pWXkX3BO6FTdYaxT15g+jPg3oaAmS91uk1Y4Hj4Qh0h+Wq:oBDxzU5KM4K3s6FP5grSbYQO761

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Creates a new folder (SCRIPT)

Uses base64 encoding (SCRIPT)

Detects the decoding of a binary file from Base64 (SCRIPT)

GRIMRESOURCES has been detected (YARA)

SUSPICIOUS

Creates FileSystem object to access computer's file system (SCRIPT)

Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

Runs shell command (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Sets XML DOM element text (SCRIPT)

Saves data to a binary file (SCRIPT)

Executable content was dropped or overwritten

Connects to unusual port

INFO

Reads security settings of Internet Explorer

Application launched itself

Checks supported languages

Reads the computer name

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings