Windows Analysis Report
PO24F1000015.pdf

Overview

General Information

Sample name:	PO24F1000015.pdf
Analysis ID:	1411158
MD5:	34f6e9b8e35c3602f279099544179bc8
SHA1:	68b6bd78e3fc3ff2ba3d2668d095680c0c45f8a1
SHA256:	ef34780835a3be619ab0fb920d8dc837a0107efc8b1e9bc847dd3ec67076db6d
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Classification

Signatures

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708

Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI433B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI437A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI439B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43EB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI440B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI444A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44CA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI450B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI452B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Elevation.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI429E.tmp

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll

Source: classification engine

Classification label: clean5.winPDF@18/44@0/43

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-03-18 17-17-19-055.log

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\PO24F1000015.pdf
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1580,i,1101707894866567689,15242636821926041621,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5727D9A6734144D2581E6CD906595036
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1580,i,1101707894866567689,15242636821926041621,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5727D9A6734144D2581E6CD906595036

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO24F1000015.pdf	Initial sample: PDF keyword /JS count = 0
Source: PO24F1000015.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: PO24F1000015.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.51.56.185	unknown	United States	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
50.16.47.176	unknown	United States	14618	AMAZON-AESUS	false
23.47.168.24	unknown	United States	16625	AKAMAI-ASUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false

ID:	1411158
Product:	CloudBasic
Start time:	17:16:50
Start date:	18.03.2024
Sample:	PO24F1000015.pdf
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	34f6e9b8e35c3602f279099544179bc8
SHA1:	68b6bd78e3fc3ff2ba3d2668d095680c0c45f8a1
SHA256:	ef34780835a3be619ab0fb920d8dc837a0107efc8b1e9bc847dd3ec67076db6d
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	F990F7404FBB01F4143E1CF292ABCBC6	242EF14C969A39760ED397BD21D3F7C07BF3E443	CAAEAFBEFCDDE5AC37D526137151D1951AE8EFF96FD4F5ACB7123860D1988764
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	45EFBA4379686176F35B71258F4541DB	02FCA54E383C2CC54D1A66430DEDCE916C4D34D3	48A19200DE83C7695897138389D098C82660E36C56AE880EFC9FE8B20246E22B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3e51bc.TMP (copy)	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f62e09d5-2937-4d20-bc7b-a1c86896a239.tmp	JSON data	0E875D14FAE31212FD89DB2858C508D5	004AADA351610E6607E40CBCBC72CA7DFCCA0910	DA72D97E442539068AE1FEB627A4F57E8C26A8DA6E9C0E72EAAB864F02C8BA16
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f9215b4f-cddc-4741-81d6-28929296acec.tmp	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	AC46819DA45CE72E1D070DC3EFCE3B1B	FD5F6E36427D87F6C663F7599197F23E5339F9DF	2D4D1AEC16B4BCC6089CEA363B8646B3CF6F47DBE99A2555DBEDF0CBCBEF4715
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	2FD1FAA839817280F6AFA112B0072E81	3F47ECC615A4147B0E2E7528C96D65E9AD7CAB8D	DB10C4E803807AB5806B9BEFBCAF403B80DDC6034DDB8274C8C2893F3F5BDB81
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240318161721Z-162.bmp	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54	0AC836A88E5D1127A43EB8E3F7F0A0D4	26C525A44C120E35D643F6B17F97548FC56CC7C3	FA2AA07BBBBED4CA271F274864FE053770C595DB60F4D22AFB2736B7F701E769
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 2, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 2	A4D5FECEFE05F21D6F81ACF4D9A788CF	1A9AC236C80F2A2809F7DE374072E2FCCA5A775C	83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	85C45C2A0957B5DB51FA5E57236CD650	46C2CB8C27569C097675D54D534872A6DD4AB47F	F940A0926A4010054BCDE322FCF3CF8D25C8ED3AC24CC4E691E581AC909CD325
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	67767E4AB617AC5BC6085F5FAE54F255	88A30A2BA305E3728779C66AACFB26544001D841	8C1DCC2DA270F89F1E278D3112DA4D4E92C2A7BF82F12338B59446335D5FF33F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	2D3FC6751E477153DCDD0676267239C8	7C948A8D053D48A71E2CDC5E0AEB16BF2FD6F652	73432E13275BFA742C68AAF200109A8BD0DC8D24BEA98595D256C9E94597BC17
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	8A31C89B2E1D25EAF99C5FD8B4D72385	D8478947E8E4F8883D2E9D95A2879F6294350989	6C8AD06A7B923364C64488C7E3697CA11AD118497F83EB223C632D387876CFB5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	393999202417D40E0245B091A4B9F466	2138C0C167F8F1391276CC17B8C8327963D1C58A	220A8348BAF783AEFF01C0B98DBC7941A164F7FA333449236AC6DFDC007E0B22
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	B9CAC9A9B238C491265BC705480DDB0D	732E03B6D5989831D85A82DB64951832838DD831	E384FC51BCBB96388F4EBC070264D17739D5C786B4D6F9ACCE3D519374366AFC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	D1DF01505A9531160B1A944DFA60FF96	EAF987A2C4878F66BB46C29BAFF9454441918883	2F686CE7820BB6D2A4408B5B2C169174BE4654591E1A18F3E8539509677D5EDC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	54CBF3EDA31287C9673432C046774C5A	0063F093C6147C1BA68042A75F1EDB0797EDA33C	7122B83F2E69E85BC314D84CE94FE141C2F589AAAF651CBCFCD2356C9F0E706F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	74578FFBF73A62840D5520CF89C8631F	D071B1466D6270B01442F02FDB57263CC56CCEAF	D5CDD205546F692D8660A87161C78C9D5BCF090F6A26E7D3A0196D610FA25F87
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	BF443055985B299D6CC9B499D5C6A67F	08885E87572A8F79C4F8DF4277C489A8B60C6791	86CF42EAAE76BF394795E00FBF39BDC7468EEE8D31D35D08133DBEA0AE1F717B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	FA4C98E3E8A08EE37BA8FD111DE85E7F	23F9CE96628673CA139E83567A0A10080A7BE614	0AC3F99F0B53AFCAC422FBF3BD57E2AB8F29FFE57F233B066E7C78EB4BDEE1E7
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	0BF58E84A5DABB305FE84704FC2467E9	4294CF61BE6B2E8FFE36822D40223FC163C77115	C9ABA45673D932CD957844BF1367BE8F15E5AEDC58B9A5B3A71E09FCB6AB0D97
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	450C7EC7DB2A9CBDC4D9793345F82A4E	8AF80479AB47576920A6F73B5B621A7BBBB832CC	C5428384594AD673A43C238DFE204470E290DA6E307EEB240AF61A4EAF155E14
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	8592A54DFAAC546615C81F334EF89C99	F52525E446D35DD7903B69D1F330FA03E6C33D1A	3D03A3A4C0AAA0DCA1C8C70088FC706F1BE0247C3E34800899C1A06B0BD1B6C3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	47451959EE0E3F82526C4AFD421644E1	648A8FD0E0B287213172BFB98E75FCED68A6DFD1	DF928B4A1B40500D7F45C32D3978C065E838AF0C3482E30CB8BEC6EC18579474
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	71358E3706CD17446917838CAF690D93	D08C65C2BB0208697F57865472E808571AA5C2FD	0921BD5B5AE2736FA5CAD6E3E1384C10DAC9ED886380635EDFCF0E0968802CFB
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	C1D4780C76D5E6D70C967A40A552377B	AE090A628ADE464C8841CF159592BE3BD4A6E0CE	A2D4DB99697C67D038E55E2EE9C164C7900F119059C0D717E4AFE16CA0FC0176
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	F6B0E2A7E8A206ED90250EE2BBBA67BF	D8809262AE8D6DDB8A54A86B5E37F20ED743734B	3C295E059E48122808578B69591ADEE06B3E77B4152CE3EBD20B27E3A479DE80
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19	C8CCF73CB415D5991D416DBBCA9F8E27	8F1510407E2675000D52F8DC9A65812C6B8D417C	652B882E71A302DA09E3BDA5BC2482B72408928AB4798E2BED42E1DFD6AF3B26
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	6799B34957D30EB2B102FDAB70E2F6BD	619B9E2F467A69D562974276EC8E0674C7859CFA	B4B0F9ACD2811053F3C449364F1EFB8B202B65A17E088EA5CFFEA38216259BB0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin	data	A70CA2D9FA3F4B8F0893D804611862B0	F79434879E06756A7CF90021E7D5CBA1862EE28F	6CCD1C5894B2CB2034CC6986B5BEDE9B8540E2A75872929AD8D5870BEE25F267
C:\Users\user\AppData\Local\Temp\MSId45ca.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	64828052067D7CC1FDB415F63AD1E0EC	81585F2B0DC4CCCCF7F39F1BBAE30026C323A609	B2ED0E798ED31837EE512CAD7A79C204A078C77EB29A94F9BB4102710C62142A
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-03-18 17-17-19-055.log	ASCII text, with very long lines (393)	91F06491552FC977E9E8AF47786EE7C1	8FEB27904897FFCC2BE1A985D479D7F75F11CEFC	06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	53F5828B5BE805B2AF66170352C28E1F	87324C6B37CCD7BCC73FCDCB71F4F93BBFCB5929	344CC32AA922D8C2ABF50FF780DB80332BEF2160ED74DBC5DE8CE0527A495CA3
C:\Users\user\AppData\Local\Temp\acrocef_low\21135ec1-fe14-4f7a-8322-ccc7d4014a1c.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837	D58D391C331C4E566606AD39E9A93933	172367AC50DF737EC4D7BF25909F7863E23EA206	73EF6876EADF4905CF44BA1C4F38BE86F0B9E9B8BA3AE38319D3B40E46E78BD6
C:\Users\user\AppData\Local\Temp\acrocef_low\783fe5c7-b65c-4edc-a001-899d0254af22.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\81b68bf7-3f9b-4540-84db-b22da5529d51.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	8B9FA2EC5118087D19CFDB20DA7C4C26	E32D6A1829B18717EF1455B73E88D36E0410EF93	4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
C:\Users\user\AppData\Local\Temp\acrocef_low\935e333c-fa7a-4126-9ebc-4408f5ae2481.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Windows\Installer\MSI429E.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	02BF4F9572D87DB0A85662B792E0D3FE	A7E2CF47C9EC8A812457055DE5CBB92E230AC14B	0D94E8ED592846BA7B7D035F08D753BB89514D230AD0B494E50D86DD5220AB34
C:\Windows\Installer\MSI43CA.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	063D4491FF8D8146B167EE4B24E304FC	D7178B029828DB23A115D224DCA3130B7ED9537B	0A100DC7F447CC980491199F5D0583FA7D44D8FE7A1632482567C617F10FE54D
C:\Windows\Installer\MSI446B.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4F89DA665E512350058C520174611135	0A4720B834E50D7DBB850F112E322D6FC64334B1	EC2FF4D9ABD96A9E42E01DD98BDEFF390C05729FAC3FEE50AEB6D88398B1E653
C:\Windows\Installer\MSI448B.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0FB71A79C1269E2BA50FB92EB92866D6	7292A917707D174F7F98BBCD7E248000EBCFE9E0	E9E4ADFA160CE9BBEDA6A083C42562FDB33A8C9261F85EDC682528333813B7B6
C:\Windows\Installer\MSI44EB.tmp	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	1566E699EE42EAA571700F3AD30B2DBA	D2B11F53310AD7118B6893C46EA815F9C7BF9CE2	4BC5FC5CD0AE661B4FFE6AD9E12E55B233F471BA84F40CBA7BEB0CEA8822E831
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	39D0F1FA0D64772942DD1783D1F6E883	B7123A964BFC8DF54D7ACF4902327B7A24F0D31C	C53D9094E8354AD8B63D61322C7AC1B6EBFB2CDE14D6FB2BB746CD95456975FF

Windows Analysis Report
PO24F1000015.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report PO24F1000015.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report
PO24F1000015.pdf