Edit tour

Windows Analysis Report
PO24F1000015.pdf

Overview

General Information

Sample name:	PO24F1000015.pdf
Analysis ID:	1411158
MD5:	34f6e9b8e35c3602f279099544179bc8
SHA1:	68b6bd78e3fc3ff2ba3d2668d095680c0c45f8a1
SHA256:	ef34780835a3be619ab0fb920d8dc837a0107efc8b1e9bc847dd3ec67076db6d
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

No malicious behavior found, analyze the document also on other version of Office / Acrobat

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

Acrobat.exe (PID: 7036 cmdline: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\PO24F1000015.pdf MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6192 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3564 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1580,i,1101707894866567689,15242636821926041621,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443

Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 192.168.2.16:49708 -> 23.47.168.24:443
Source: global traffic	TCP traffic: 23.47.168.24:443 -> 192.168.2.16:49708

Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24
Source: unknown	TCP traffic detected without corresponding DNS query: 23.47.168.24

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI433B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI437A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI439B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43EB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI440B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI444A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44CA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI450B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI452B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Elevation.tmp

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI429E.tmp

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll

Source: classification engine

Classification label: clean5.winPDF@18/44@0/43

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-03-18 17-17-19-055.log

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\PO24F1000015.pdf
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1580,i,1101707894866567689,15242636821926041621,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5727D9A6734144D2581E6CD906595036
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2156 --field-trial-handle=1580,i,1101707894866567689,15242636821926041621,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 5727D9A6734144D2581E6CD906595036

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PO24F1000015.pdf	Initial sample: PDF keyword /JS count = 0
Source: PO24F1000015.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: PO24F1000015.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI448B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI43CA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI429E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI446B.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Exploitation for Client Execution	1 DLL Side-Loading	1 Process Injection	21 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner
C:\Windows\Installer\MSI429E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI43CA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI446B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI448B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI44EB.tmp	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.51.56.185	unknown	United States	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
50.16.47.176	unknown	United States	14618	AMAZON-AESUS	false
23.47.168.24	unknown	United States	16625	AKAMAI-ASUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1411158
Start date and time:	2024-03-18 17:16:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	PO24F1000015.pdf
Detection:	CLEAN
Classification:	clean5.winPDF@18/44@0/43
Cookbook Comments:	Found application associated with file extension: .pdf

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 23.51.56.185, 50.16.47.176, 34.237.241.83, 54.224.241.105, 18.213.11.84, 162.159.61.3, 172.64.41.3, 23.55.243.210, 23.55.243.199
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, slscr.update.microsoft.com, ssl-delivery.adobe.com.edgekey.net, acroipm2.adobe.com.edgesuite.net, a122.dscd.akamai.net, p13n.adobe.io, geo2.adobe.com, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: PO24F1000015.pdf

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.195885898964632
Encrypted:	false
SSDEEP:
MD5:	F990F7404FBB01F4143E1CF292ABCBC6
SHA1:	242EF14C969A39760ED397BD21D3F7C07BF3E443
SHA-256:	CAAEAFBEFCDDE5AC37D526137151D1951AE8EFF96FD4F5ACB7123860D1988764
SHA-512:	66D964897EC0CED3304346CFB0655B646BEA6014960125060F0B6ABBA3793B62C241F862D74C77438F2FBA296D668CE8B17571753D88CC62A5A1BC48136B429A
Malicious:	false
Reputation:	unknown
Preview:	2024/03/18-17:17:17.426 181c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/03/18-17:17:17.428 181c Recovering log #3.2024/03/18-17:17:17.429 181c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.159813317811128
Encrypted:	false
SSDEEP:
MD5:	45EFBA4379686176F35B71258F4541DB
SHA1:	02FCA54E383C2CC54D1A66430DEDCE916C4D34D3
SHA-256:	48A19200DE83C7695897138389D098C82660E36C56AE880EFC9FE8B20246E22B
SHA-512:	726023A6D269412F56D7CCC1DF07812F643CB9FE5F484FD656088332B428B19D6BF47331F9A03891F2D3C883CFECD1454A2A368C7417F4F0627988232E4DFA38
Malicious:	false
Reputation:	unknown
Preview:	2024/03/18-17:17:17.332 1204 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/03/18-17:17:17.336 1204 Recovering log #3.2024/03/18-17:17:17.337 1204 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	4C313FE514B5F4E7E89329630909F8DC
SHA1:	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
SHA-256:	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
SHA-512:	1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
Malicious:	false
Reputation:	unknown
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3e51bc.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	4C313FE514B5F4E7E89329630909F8DC
SHA1:	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
SHA-256:	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
SHA-512:	1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
Malicious:	false
Reputation:	unknown
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f62e09d5-2937-4d20-bc7b-a1c86896a239.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	402
Entropy (8bit):	4.990980851641861
Encrypted:	false
SSDEEP:
MD5:	0E875D14FAE31212FD89DB2858C508D5
SHA1:	004AADA351610E6607E40CBCBC72CA7DFCCA0910
SHA-256:	DA72D97E442539068AE1FEB627A4F57E8C26A8DA6E9C0E72EAAB864F02C8BA16
SHA-512:	B62BAE0D402B297E6DEF6D4970DF15BC99AD29B1B469E2466C51F3380F03C5C8C9D61913CADDB31A00B871CFD333B34AAC36A25DC3671AA7710A7DACE7DA4BE3
Malicious:	false
Reputation:	unknown
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13355338648774280","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":90652},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f9215b4f-cddc-4741-81d6-28929296acec.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	403
Entropy (8bit):	4.953858338552356
Encrypted:	false
SSDEEP:
MD5:	4C313FE514B5F4E7E89329630909F8DC
SHA1:	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56
SHA-256:	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
SHA-512:	1726CAFCBA0121691DFA87A7298E6610BC4C7FD900867FD1B1710811E764918585E56788E08B7CA2CEE001F5DFD110E1BE6F6BBD7C2A7B7E2FC87D3DED210205
Malicious:	false
Reputation:	unknown
Preview:	{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341145152835463","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144284},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.231893839906004
Encrypted:	false
SSDEEP:
MD5:	AC46819DA45CE72E1D070DC3EFCE3B1B
SHA1:	FD5F6E36427D87F6C663F7599197F23E5339F9DF
SHA-256:	2D4D1AEC16B4BCC6089CEA363B8646B3CF6F47DBE99A2555DBEDF0CBCBEF4715
SHA-512:	4B8777B8DC719115B7F46090B5D94A8C7BBDCB30CCDD77BAC4017B70D346C141C489991DF582DE899FC80E1C65598E11BD1571608830D84674C0DB5B1BB8C386
Malicious:	false
Reputation:	unknown
Preview:	*...#................version.1..namespace-e...o................next-map-id.1.Pnamespace-1d95df23_a38f_44a8_b732_4e62dd896a16-https://rna-resource.acrobat.com/.0y.S_r................next-map-id.2.Snamespace-2a884c18_b39c_4e3d_942f_252e530ca4bd-https://rna-v2-resource.acrobat.com/.16.X:r................next-map-id.3.Snamespace-2e78bfda_7188_4688_a4aa_1ff81b6e5eaa-https://rna-v2-resource.acrobat.com/.2.P.@o................next-map-id.4.Pnamespace-09c119c2_97bc_4467_8f67_f92472c9e5dc-https://rna-resource.acrobat.com/.346.+^...............Pnamespace-1d95df23_a38f_44a8_b732_4e62dd896a16-https://rna-resource.acrobat.com/....^...............Pnamespace-09c119c2_97bc_4467_8f67_f92472c9e5dc-https://rna-resource.acrobat.com/..?&a...............Snamespace-2a884c18_b39c_4e3d_942f_252e530ca4bd-https://rna-v2-resource.acrobat.com/_...a...............Snamespace-2e78bfda_7188_4688_a4aa_1ff81b6e5eaa-https://rna-v2-resource.acrobat.com/...o................next-map-id.5.Pnamespace-07af9ee9_2076_4f12_94b5_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.184643131000058
Encrypted:	false
SSDEEP:
MD5:	2FD1FAA839817280F6AFA112B0072E81
SHA1:	3F47ECC615A4147B0E2E7528C96D65E9AD7CAB8D
SHA-256:	DB10C4E803807AB5806B9BEFBCAF403B80DDC6034DDB8274C8C2893F3F5BDB81
SHA-512:	48ECC7FB3998A3088F96705CE43F5DD4584DB92512B322E966DDD1C49CA2428B2F986007E547FCD4FAB68DEFAD662AE474F75D7EFCA7CBFBB1385AD0B8877131
Malicious:	false
Reputation:	unknown
Preview:	2024/03/18-17:17:17.466 1204 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/03/18-17:17:17.468 1204 Recovering log #3.2024/03/18-17:17:17.470 1204 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240318161721Z-162.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	0.8339202808682036
Encrypted:	false
SSDEEP:
MD5:	0AC836A88E5D1127A43EB8E3F7F0A0D4
SHA1:	26C525A44C120E35D643F6B17F97548FC56CC7C3
SHA-256:	FA2AA07BBBBED4CA271F274864FE053770C595DB60F4D22AFB2736B7F701E769
SHA-512:	B0CC6D91A1C24AF9B917FCB2F6030A5D4760301D86FC29D5A676DA987C2A9C07F105A101B4E823FD96EC0ED6DD144636C6488225E39FCA271C5F1FE9D322E05D
Malicious:	false
Reputation:	unknown
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 2, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	3.291927920232006
Encrypted:	false
SSDEEP:
MD5:	A4D5FECEFE05F21D6F81ACF4D9A788CF
SHA1:	1A9AC236C80F2A2809F7DE374072E2FCCA5A775C
SHA-256:	83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2
SHA-512:	FF106C6B9E1EA4B1F3E3AB01FAEA21BA24A885E63DDF0C36EB0A8C3C89A9430FE676039C076C50D7C46DC4E809F6A7E35A4BFED64D9033FEBD6121AC547AA5E9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	16928
Entropy (8bit):	1.213142569890365
Encrypted:	false
SSDEEP:
MD5:	85C45C2A0957B5DB51FA5E57236CD650
SHA1:	46C2CB8C27569C097675D54D534872A6DD4AB47F
SHA-256:	F940A0926A4010054BCDE322FCF3CF8D25C8ED3AC24CC4E691E581AC909CD325
SHA-512:	656D4E2BCEC47E6751E730C0578D4846CB35AAE4D3126DFD42907D19EFADFBD2E034BB77F64E693106FC1CA90A3FA538B5CCC6D88A2682C2A12C8554FE184EBA
Malicious:	false
Reputation:	unknown
Preview:	.... .c......D.F........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.35331249163579
Encrypted:	false
SSDEEP:
MD5:	67767E4AB617AC5BC6085F5FAE54F255
SHA1:	88A30A2BA305E3728779C66AACFB26544001D841
SHA-256:	8C1DCC2DA270F89F1E278D3112DA4D4E92C2A7BF82F12338B59446335D5FF33F
SHA-512:	CAADC6D518E1987DE6CA3F8A73C36673EDAF23669C93890878D0473BD79EA65C2D1BEEBDE0517C41DDD2D9A43E45A958724854A010283A0C9A7798AD03F01C80
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.299418429707488
Encrypted:	false
SSDEEP:
MD5:	2D3FC6751E477153DCDD0676267239C8
SHA1:	7C948A8D053D48A71E2CDC5E0AEB16BF2FD6F652
SHA-256:	73432E13275BFA742C68AAF200109A8BD0DC8D24BEA98595D256C9E94597BC17
SHA-512:	A5B5550302306A5043B58E6C9BF14B202EA1B9ACDF71C92A2DE53A526D03176656C945388B33BAD78FDBA01FF82CF7C9A3E4B00C4E15D7DBA25DA285B898F691
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.278686223622158
Encrypted:	false
SSDEEP:
MD5:	8A31C89B2E1D25EAF99C5FD8B4D72385
SHA1:	D8478947E8E4F8883D2E9D95A2879F6294350989
SHA-256:	6C8AD06A7B923364C64488C7E3697CA11AD118497F83EB223C632D387876CFB5
SHA-512:	0548C71A7FFF8745CB85BC18958E0F7CDF9F6F0D9C01F6B01AAAC40223DEE0B2AD1EC82EA19417EFFF6FD662C98C393F6F7B99C941D955486C33A4874B28D254
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.341340017405508
Encrypted:	false
SSDEEP:
MD5:	393999202417D40E0245B091A4B9F466
SHA1:	2138C0C167F8F1391276CC17B8C8327963D1C58A
SHA-256:	220A8348BAF783AEFF01C0B98DBC7941A164F7FA333449236AC6DFDC007E0B22
SHA-512:	D071E28F3F0FF7A2D7DB65CB5C284DC67473EE592ED48E244E209286A1AF7DFF7D8343483C9EEFB04A0F6828FB99E76E0BD0044D51D4218D9CE58E34504DFB1D
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.302231740165988
Encrypted:	false
SSDEEP:
MD5:	B9CAC9A9B238C491265BC705480DDB0D
SHA1:	732E03B6D5989831D85A82DB64951832838DD831
SHA-256:	E384FC51BCBB96388F4EBC070264D17739D5C786B4D6F9ACCE3D519374366AFC
SHA-512:	E8D8DE88B341837AA607228A47F540010DE52534C43C2FB99F0B84CE12A98B7A3470181358FC2BA615A2CA9C191BFF97E1A57CED444824BF11AED513CC672892
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.28981504039519
Encrypted:	false
SSDEEP:
MD5:	D1DF01505A9531160B1A944DFA60FF96
SHA1:	EAF987A2C4878F66BB46C29BAFF9454441918883
SHA-256:	2F686CE7820BB6D2A4408B5B2C169174BE4654591E1A18F3E8539509677D5EDC
SHA-512:	08FB429DDAA335FAF0EEB7278B72FC41639923BC1F6960A314754A8D712DC059216391D12504749D991788F6CF36FF0A74A7F84E4F5EB52A944DDD5C5D34CDF0
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.292862731929334
Encrypted:	false
SSDEEP:
MD5:	54CBF3EDA31287C9673432C046774C5A
SHA1:	0063F093C6147C1BA68042A75F1EDB0797EDA33C
SHA-256:	7122B83F2E69E85BC314D84CE94FE141C2F589AAAF651CBCFCD2356C9F0E706F
SHA-512:	9A3E704911FD24EF6B4368394ACBCBFAA8F8AB20F3F3E2A290E23B8A8715C9D19FD4519969E04CD5E6682B2D550E57064D8A286AFF25933774C40E3115B502E7
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.3008845988879285
Encrypted:	false
SSDEEP:
MD5:	74578FFBF73A62840D5520CF89C8631F
SHA1:	D071B1466D6270B01442F02FDB57263CC56CCEAF
SHA-256:	D5CDD205546F692D8660A87161C78C9D5BCF090F6A26E7D3A0196D610FA25F87
SHA-512:	2AD788C313CCEEAEEFC3134C6804512F5BB236E4F4C84BEF031EABE8C15E03D255F156D3C633FBE0048D329471C4B6D736F1DA5A172864558AF4F28920FF7294
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.314250285315446
Encrypted:	false
SSDEEP:
MD5:	BF443055985B299D6CC9B499D5C6A67F
SHA1:	08885E87572A8F79C4F8DF4277C489A8B60C6791
SHA-256:	86CF42EAAE76BF394795E00FBF39BDC7468EEE8D31D35D08133DBEA0AE1F717B
SHA-512:	D4AC2342D638AFD87816CC9836A5B271913A3BD74673DAAD4EDB1717F3FD49930E27DE9981ACD7761E2B208A7E0F25E6C35762F6AE858B580A33844C2B9D3D68
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.295328205957625
Encrypted:	false
SSDEEP:
MD5:	FA4C98E3E8A08EE37BA8FD111DE85E7F
SHA1:	23F9CE96628673CA139E83567A0A10080A7BE614
SHA-256:	0AC3F99F0B53AFCAC422FBF3BD57E2AB8F29FFE57F233B066E7C78EB4BDEE1E7
SHA-512:	99AC800405A4F2BDD8F594A9E676B0A28F1E2F29DF38A17ABF8AE06ECBE24ACDED75EFA45070714939201BAB516E6326FA10A7DF32EFA48FF99614A3F9A25784
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1395
Entropy (8bit):	5.773518152421386
Encrypted:	false
SSDEEP:
MD5:	0BF58E84A5DABB305FE84704FC2467E9
SHA1:	4294CF61BE6B2E8FFE36822D40223FC163C77115
SHA-256:	C9ABA45673D932CD957844BF1367BE8F15E5AEDC58B9A5B3A71E09FCB6AB0D97
SHA-512:	E953897926D9D0BB9D9D75DD894A01CFBB2C25DC7C92F1C4B1BC221E3DDCEA03626CEABB1264EB80C4C41AA731CE53BF85B9D0555A587538574FCBAFAE82F0B3
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.278907412181608
Encrypted:	false
SSDEEP:
MD5:	450C7EC7DB2A9CBDC4D9793345F82A4E
SHA1:	8AF80479AB47576920A6F73B5B621A7BBBB832CC
SHA-256:	C5428384594AD673A43C238DFE204470E290DA6E307EEB240AF61A4EAF155E14
SHA-512:	8E79BE0F6509649E5EDB041CE6363EE0E28F3DE22B3320A836D8FA8F0F6B18B13802A5329CA30F214F11E5737B6EEF6090D613C0E7272ABA10606BD09B6B73A7
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.282799344642368
Encrypted:	false
SSDEEP:
MD5:	8592A54DFAAC546615C81F334EF89C99
SHA1:	F52525E446D35DD7903B69D1F330FA03E6C33D1A
SHA-256:	3D03A3A4C0AAA0DCA1C8C70088FC706F1BE0247C3E34800899C1A06B0BD1B6C3
SHA-512:	0B64FED8D7A57F4199A20F7B419AF95359B37B844DCD331F5496B29B98FBDD501D02DEC525F412C683C4EF58607C7E16E37AAA2F0F4FFEA8478F9542405E7C7F
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.302440812240897
Encrypted:	false
SSDEEP:
MD5:	47451959EE0E3F82526C4AFD421644E1
SHA1:	648A8FD0E0B287213172BFB98E75FCED68A6DFD1
SHA-256:	DF928B4A1B40500D7F45C32D3978C065E838AF0C3482E30CB8BEC6EC18579474
SHA-512:	23525079255669412955236F06423DF559E923F6A5EE6F754AB1AB03CDCC3E5044DB50D207CB2428C2FD4E5948E7EA1984AF7FA630E952030C466E8282C7151B
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.260415199024767
Encrypted:	false
SSDEEP:
MD5:	71358E3706CD17446917838CAF690D93
SHA1:	D08C65C2BB0208697F57865472E808571AA5C2FD
SHA-256:	0921BD5B5AE2736FA5CAD6E3E1384C10DAC9ED886380635EDFCF0E0968802CFB
SHA-512:	CDBC0EE26E24A2DCAB79A78CC225540CF47094BB7D3A0524527FB0DA722173CF4C7E89D6053616BA557B3AEA656DB2FBA392049347320A525B526D89CFADEB1C
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	782
Entropy (8bit):	5.365366667868704
Encrypted:	false
SSDEEP:
MD5:	C1D4780C76D5E6D70C967A40A552377B
SHA1:	AE090A628ADE464C8841CF159592BE3BD4A6E0CE
SHA-256:	A2D4DB99697C67D038E55E2EE9C164C7900F119059C0D717E4AFE16CA0FC0176
SHA-512:	A89554BEE74F145D44B081923AF1103F4C7BD92132AAC4EF1EF84647BECF9AEA2464D71490B5B4CE8D190B69E08A5127F179CA8C31210EECACAC5A965E28AD6C
Malicious:	false
Reputation:	unknown
Preview:	{"analyticsData":{"responseGUID":"0c427bbe-56a4-46aa-94e9-fe794a09f932","sophiaUUID":"5E8BF9F5-1E3B-447C-A619-6054B1C06D0A"},"encodingScheme":true,"expirationDTS":1710958116275,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1710778641306}}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Reputation:	unknown
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2813
Entropy (8bit):	5.1311663608205205
Encrypted:	false
SSDEEP:
MD5:	F6B0E2A7E8A206ED90250EE2BBBA67BF
SHA1:	D8809262AE8D6DDB8A54A86B5E37F20ED743734B
SHA-256:	3C295E059E48122808578B69591ADEE06B3E77B4152CE3EBD20B27E3A479DE80
SHA-512:	BFB46FF5D59D2AF401336C5857D8219AE8CC389FF745874C31D3C360EC9941CD86E8345B2C4BEFE406973F215365A2DFA37A1497E63E2041675C4169BF1A5713
Malicious:	false
Reputation:	unknown
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"043e455b027f5464bac5c47d82650653","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1710778641000},{"id":"Edit_InApp_Aug2020","info":{"dg":"d29eb4f87296ebcac3ef0fd1218dddd3","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":1710778641000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"c60011fc0d8940d69573dabff652a022","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1710778641000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"f2119fd94d31f5b938d6abeb6e53c240","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1710778641000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"bbdaf44304e0a288a003f98a8e7631e5","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1710778641000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"7d2928635b5a12cebc17abe1340ddff3","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1710778641000},{

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.98709698572142
Encrypted:	false
SSDEEP:
MD5:	C8CCF73CB415D5991D416DBBCA9F8E27
SHA1:	8F1510407E2675000D52F8DC9A65812C6B8D417C
SHA-256:	652B882E71A302DA09E3BDA5BC2482B72408928AB4798E2BED42E1DFD6AF3B26
SHA-512:	4F5FBA878D6357728E06408050C9E0C989210B66459F25278B270E560272F0FFC5844D089360A912C5C77760F06AF53C28B022FE675B7A254C21398D18860EE2
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.3422964766088226
Encrypted:	false
SSDEEP:
MD5:	6799B34957D30EB2B102FDAB70E2F6BD
SHA1:	619B9E2F467A69D562974276EC8E0674C7859CFA
SHA-256:	B4B0F9ACD2811053F3C449364F1EFB8B202B65A17E088EA5CFFEA38216259BB0
SHA-512:	997534ACC9DF3B30EB242F4D916D0B8AB9CF4BAAD6CCEB39D5FA0889A515BC90AFAE3170E7A6A0EDE9B77B05E54B930E6726BD75C9035C493B508CA215099E5E
Malicious:	false
Reputation:	unknown
Preview:	.... .c......v.I......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:
MD5:	A70CA2D9FA3F4B8F0893D804611862B0
SHA1:	F79434879E06756A7CF90021E7D5CBA1862EE28F
SHA-256:	6CCD1C5894B2CB2034CC6986B5BEDE9B8540E2A75872929AD8D5870BEE25F267
SHA-512:	F12E1A35027D25210350A711E6EA42F3847FB0ABADD42A8F9B2FDE46E259064CA9271FF614AA876AC50A11A55CDDAF8E6EEB4157B191E23C1FB03539BADB3447
Malicious:	false
Reputation:	unknown
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\MSId45ca.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5162684137903053
Encrypted:	false
SSDEEP:
MD5:	64828052067D7CC1FDB415F63AD1E0EC
SHA1:	81585F2B0DC4CCCCF7F39F1BBAE30026C323A609
SHA-256:	B2ED0E798ED31837EE512CAD7A79C204A078C77EB29A94F9BB4102710C62142A
SHA-512:	51CF15AD14EF98602B038CFB4653D821BCD6D90C8106416A60067AF2C741B3A8D917C3830E389DE25FF2B169F76C2DA4201D2CCDE46EEB3836F1E26DB2DD456D
Malicious:	false
Reputation:	unknown
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.8./.0.3./.2.0.2.4. . .1.7.:.1.7.:.2.4. .=.=.=.....

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-03-18 17-17-19-055.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.353642815103214
Encrypted:	false
SSDEEP:
MD5:	91F06491552FC977E9E8AF47786EE7C1
SHA1:	8FEB27904897FFCC2BE1A985D479D7F75F11CEFC
SHA-256:	06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
SHA-512:	A63E6E0D25B88EBB6602885AB8E91167D37267B24516A11F7492F48876D3DDCAE44FFC386E146F3CF6EB4FA6AF251602143F254687B17FCFE6F00783095C5082
Malicious:	false
Reputation:	unknown
Preview:	SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.424833676515946
Encrypted:	false
SSDEEP:
MD5:	53F5828B5BE805B2AF66170352C28E1F
SHA1:	87324C6B37CCD7BCC73FCDCB71F4F93BBFCB5929
SHA-256:	344CC32AA922D8C2ABF50FF780DB80332BEF2160ED74DBC5DE8CE0527A495CA3
SHA-512:	7DC655BF1DD054F26847B5A267A435D51A17BE4A11EEDE90CF7BC8CB0A05E7554FB5F9D5E48CBCE7EA5D5AA0B64706BE51103CE554A24607B4E35F0E69E08B3D
Malicious:	false
Reputation:	unknown
Preview:	06-10-2023 10:08:42:.---2---..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : *************************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : ***********************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Starting NGL..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..06-10-2023 10:08:42:.Closing File..06-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\21135ec1-fe14-4f7a-8322-ccc7d4014a1c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:
MD5:	D58D391C331C4E566606AD39E9A93933
SHA1:	172367AC50DF737EC4D7BF25909F7863E23EA206
SHA-256:	73EF6876EADF4905CF44BA1C4F38BE86F0B9E9B8BA3AE38319D3B40E46E78BD6
SHA-512:	53B0BE1C6974495103B0FB1DA8757DA46837FA24A05C8226FA32095F31D946CA1219D265E1A8BDB12AF9B1F8D3343820F1AD3699CE0F7AC42A0995A7B023B2D0
Malicious:	false
Reputation:	unknown
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\783fe5c7-b65c-4edc-a001-899d0254af22.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Reputation:	unknown
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\81b68bf7-3f9b-4540-84db-b22da5529d51.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:
MD5:	8B9FA2EC5118087D19CFDB20DA7C4C26
SHA1:	E32D6A1829B18717EF1455B73E88D36E0410EF93
SHA-256:	4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
SHA-512:	662F8664CC3F4E8356D5F5794074642DB65565D40AC9FEA323E16E84EBD4F961701460A1310CC863D1AB38849E84E2142382F5DB88A0E53F97FF66248230F7B9
Malicious:	false
Reputation:	unknown
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\935e333c-fa7a-4126-9ebc-4408f5ae2481.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Reputation:	unknown
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Windows\Installer\MSI429E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	850392
Entropy (8bit):	6.206852111668413
Encrypted:	false
SSDEEP:
MD5:	02BF4F9572D87DB0A85662B792E0D3FE
SHA1:	A7E2CF47C9EC8A812457055DE5CBB92E230AC14B
SHA-256:	0D94E8ED592846BA7B7D035F08D753BB89514D230AD0B494E50D86DD5220AB34
SHA-512:	5CCEC1878AC317AC9CBE8E108CB3F85DBAD9688F9010319079A9F8EB43050A72D4A43EE8E53C773FE85AE4B68FA6DF7D3DC75E2E023A584967837622FCD9E0A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......-8..iYmIiYmIiYmI21nHbYmI21hH.YmI.6.IhYmI.-hH9YmI.-iH{YmI.-nHeYmI21iH}YmI21kHhYmI}2lHkYmI.-hHcYmI...IkYmI21lHzYmIiYlIpXmI.-dHdYmI.-mHhYmI.-.IhYmIiY.IhYmI.-oHhYmIRichiYmI........................PE..d......d.........." .....2...................................................@............ A........................................0<.......J....... ..........lQ.......)...0..T.......p.......................(.......8............P..X............................text...L0.......2.................. ..`.rdata.......P.......6..............@..@.data...t5...p.......L..............@....pdata..lQ.......R...f..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..T....0......................@..B........................................................................................................................................

C:\Windows\Installer\MSI43CA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	530392
Entropy (8bit):	6.45816181579208
Encrypted:	false
SSDEEP:
MD5:	063D4491FF8D8146B167EE4B24E304FC
SHA1:	D7178B029828DB23A115D224DCA3130B7ED9537B
SHA-256:	0A100DC7F447CC980491199F5D0583FA7D44D8FE7A1632482567C617F10FE54D
SHA-512:	834ADB66F6E12D9DE5AEDE21EFF716EE6893B9F168FBE835AD6FD7434800CF2C38B9ACA555C828041E07F866D12684536ACF996A82E11C53B48ABF6A005F0CD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......{. .?.N.?.N.?.N.+.J.4.N.+.M.:.N.+.K...N...K...N...J.0.N...M.6.N.I.5.=.N.+.O.2.N.?.O...N...K.<.N...N.>.N....>.N.?...>.N...L.>.N.Rich?.N.........................PE..d...g..d.........." ..... ...................................................P............ A.........................................q......\r.......0...........T.......)...@..........T...........................@...8............0...............................text............ .................. ..`.rdata..pQ...0...R...$..............@..@.data...h)...........v..............@....pdata...T.......V..................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................

C:\Windows\Installer\MSI446B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	497112
Entropy (8bit):	6.438361119688651
Encrypted:	false
SSDEEP:
MD5:	4F89DA665E512350058C520174611135
SHA1:	0A4720B834E50D7DBB850F112E322D6FC64334B1
SHA-256:	EC2FF4D9ABD96A9E42E01DD98BDEFF390C05729FAC3FEE50AEB6D88398B1E653
SHA-512:	981DB94F68C3366909CA1D032E622C53420B1E9AF81BD2C30F8482082DE4539F269AC87D67AFBDC890AE2096CFF0CD3A4F1EDF0EE0D98767FC7330425D9E3BCB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6qS.X"S.X"S.X"G.\#X.X"G.[#V.X"G.]#..X"..]#p.X"..\#C.X"..[#Z.X"G.Y#Y.X"%z#"P.X"S.Y"..X"..]#W.X"..X#R.X"..."R.X"S.."R.X"..Z#R.X"RichS.X"........PE..d......d.........." .................h..............................................\|h.... A.................................................................@...S...l...)......(.......T...............................8...............8............................text...p........................... ..`.rdata...G.......H..................@..@.data...x)..........................@....pdata...S...@...T..................@..@_RDATA...............Z..............@..@.rsrc................\..............@..@.reloc..(............b..............@..B........................................................................................................................................................................................

C:\Windows\Installer\MSI448B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	211408
Entropy (8bit):	6.337608794464878
Encrypted:	false
SSDEEP:
MD5:	0FB71A79C1269E2BA50FB92EB92866D6
SHA1:	7292A917707D174F7F98BBCD7E248000EBCFE9E0
SHA-256:	E9E4ADFA160CE9BBEDA6A083C42562FDB33A8C9261F85EDC682528333813B7B6
SHA-512:	0C2E80768302FB009298B288B06BB9E62DB91FBD04163F0FAD707F9CC84445985CF811839A6C6CF022817F4405276B63B7BA46C5C67E24FD5A90CF976FFD4144
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.O.w.!.w.!.w.!.c.%.\|.!.c.".r.!.c.$...!...$.T.!...%.x.!...".~.!..cZ.u.!.c. .\|.!.w. ...!...$.r.!...!.v.!.....v.!.w...v.!...#.v.!.Richw.!.........PE..d...=^.c.........." .................v.......................................`............ A........................................`...X............@..p................)...P...... ...T...............................8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc...p....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Windows\Installer\MSI44EB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	498640
Entropy (8bit):	6.435753543146649
Encrypted:	false
SSDEEP:
MD5:	1566E699EE42EAA571700F3AD30B2DBA
SHA1:	D2B11F53310AD7118B6893C46EA815F9C7BF9CE2
SHA-256:	4BC5FC5CD0AE661B4FFE6AD9E12E55B233F471BA84F40CBA7BEB0CEA8822E831
SHA-512:	52F8B86486BC22198CDE10F91D4588A7A939580327E8BA03B254D5A2C915B039775AFE696FE2014AAECF83EF514D3123C6EC68244B40603AA5D980F7E4C1BA1B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................N.......N.......N................:..........:...L.......L.......L.,.......D.....L.......Rich............PE..d....].c.........." ...............................................................3_.... A.................................................................P...Q...r...)..............T...............................8............................................text.............................. ..`.rdata...S.......T..................@..@.data...H)... ......................@....pdata...Q...P...R..................@..@_RDATA...............`..............@..@.rsrc................b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	454234
Entropy (8bit):	5.356169320473703
Encrypted:	false
SSDEEP:
MD5:	39D0F1FA0D64772942DD1783D1F6E883
SHA1:	B7123A964BFC8DF54D7ACF4902327B7A24F0D31C
SHA-256:	C53D9094E8354AD8B63D61322C7AC1B6EBFB2CDE14D6FB2BB746CD95456975FF
SHA-512:	D005DA7796A5658A39FBF3A70F3BC3FC7AF0533D864049AA5F057C23676D32D7E7C7C1108A77CCFD08FBEB43E44FB6117A28746008641DD1399D43438CA89E69
Malicious:	false
Reputation:	unknown
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

Static File Info

General

File type:	PDF document, version 1.5, 1 pages
Entropy (8bit):	7.966497397833544
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	PO24F1000015.pdf
File size:	73'139 bytes
MD5:	34f6e9b8e35c3602f279099544179bc8
SHA1:	68b6bd78e3fc3ff2ba3d2668d095680c0c45f8a1
SHA256:	ef34780835a3be619ab0fb920d8dc837a0107efc8b1e9bc847dd3ec67076db6d
SHA512:	2cf8ff16627594ece10ce5716b3b83bda7691e49725842591c733bdb7b31f384f117ba659765f51a0e4e2bda7e1488ae6eb36576f5c47b6e368ca3620d60ef3f
SSDEEP:	1536:UPwmFoOJy59cLWXpSd1jOmKH+BvtGx5YXHYyewszsnxQMWA3KfoqmCacCm1dW0XW:UouBg9cL5d+HeVuYHYyewsQnxQMWQco9
TLSH:	E863F152FDD564D9E3174A97332D308E800D7A86E0E910D5049C17CEB6CEF4AA8F7A1A
File Content Preview:	%PDF-1.5.%......1 0 obj.<</Filter [/FlateDecode]./Length 2 0 R >>.stream..x..Z.......p..7Y.V..$.\@3..."........ AF....\|}.)V....l.......,....,V.7.........Z~.lw...e..._.[K.{^><_....\|........$..........j....uK..<}sy...k..........m.....{...LhY...<..n[...o.3..

File Icon


Icon Hash:	62cc8caeb29e8ae0

Static PDF Info

General
Header:	%PDF-1.5
Total Entropy:	7.966497
Total Bytes:	73139
Stream Entropy:	7.995162
Stream Bytes:	67493
Entropy outside Streams:	5.237847
Bytes outside Streams:	5646
Number of EOF found:	1
Bytes after EOF:

Keywords Statistics

Name	Count
obj	38
endobj	38
stream	12
endstream	12
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	0
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO24F1000015.pdf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Spreading

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3e51bc.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f62e09d5-2937-4d20-bc7b-a1c86896a239.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\f9215b4f-cddc-4741-81d6-28929296acec.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240318161721Z-162.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

C:\Users\user\AppData\Local\Temp\MSId45ca.LOG

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-03-18 17-17-19-055.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

C:\Users\user\AppData\Local\Temp\acrocef_low\21135ec1-fe14-4f7a-8322-ccc7d4014a1c.tmp

C:\Users\user\AppData\Local\Temp\acrocef_low\783fe5c7-b65c-4edc-a001-899d0254af22.tmp

Windows Analysis Report
PO24F1000015.pdf