Windows Analysis Report
I&A_mileageForm.pdf

Overview

General Information

Sample name:	I&A_mileageForm.pdf
Analysis ID:	1429077
MD5:	b568796cfd232fbac356dee878e8bfe5
SHA1:	4c4faf0406d299c7763f7e2c166a180f88fdb35b
SHA256:	625134da02fcda22e28fb938495e38717ddcf61df6df1f90cee39d712e3c0c9d
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains long sleeps (>= 3 min)

IP address seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.5.13.197 52.5.13.197
Source: Joe Sandbox View	IP Address: 23.54.200.159 23.54.200.159

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: /Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159

Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: I&A_mileageForm.pdf	String found in binary or memory: http://www.aiim.org/pdfua/ns/id/
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSr
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C529260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/s
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52906F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/e
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp, EntitySync-2024-04-20.log.2.dr	String found in binary or memory: https://comments.adobe.io/sync/
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/&u
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/-
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/.esuser.
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/0
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/0t
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/3
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/5
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/8
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/:t
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/Cu
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/D
Source: AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C529260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/S
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/Windows
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/e
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/ju
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/n
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/pi-clien
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/r
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io28)
Source: AdobeCollabSync.exe, 00000001.00000002.2970690946.00000294587BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/47

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: classification engine

Classification label: clean3.winPDF@40/61@0/2

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9h8w0s7_1winam8_140.tmp

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);G
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0));_
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C5290AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C5290BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select rid, url, state, lastsynchronized, ttl, skiphours, skipdays, synchpriority, synchretries, flags, contentsize, cursyncetag, cursynclastmodified, cursynccontentsize, cursynctotalsynced, responsecode, hash, guid from resources where synchpriority< 50 and state !=0 and state !=5 and ttl!=2147483647 and flags & ? == 0 order by synchpriority asc limit ?=;~
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL)T NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status))UNIQUE (content_item_id, branch))<;~

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vccorlib140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdprt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wldp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: I&A_mileageForm.pdf	Initial sample: PDF keyword /JS count = 0
Source: I&A_mileageForm.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A9h8w0s7_1winam8_140.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A9h8w0s7_1winam8_140.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0
Source: A913kty8z_1winama_140.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A913kty8z_1winama_140.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword stream count = 97

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /ObjStm count = 12

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword obj count = 101

PDF has an OpenAction (likely to launch a dropper script)

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: AdobeCollabSync.exe, 00000001.00000002.2970690946.00000294586DC000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000003.00000002.1706311165.0000018B814C9000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000004.00000002.1705333970.000001BDE919A000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000005.00000002.1725526727.00000266248A8000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000006.00000002.1724500565.00000254CE199000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000002.1746043376.000001C70BEFA000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000008.00000002.1744578255.0000022C75698000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000002.1766045414.000002582199B000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000003.1765630948.000002582199A000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000A.00000002.1764877053.0000023B81588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527208000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000C.00000002.1785175847.000001D0A6028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: AdobeCollabSync.exe, 0000000B.00000002.1786467257.000001AF4C688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.5.13.197	unknown	United States		14618	AMAZON-AESUS	false
23.54.200.159	unknown	United States		16625	AKAMAI-ASUS	false

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	6322022EE3DD97FD8D8ADA9C95A5B50E	6BC822898CA5AF4F435FB14063985A0F77BF2AD8	4701035F5CA29ABB9F1B281CE580E619B19098E1B028C5C9EDB7030CCAF350B7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	6322022EE3DD97FD8D8ADA9C95A5B50E	6BC822898CA5AF4F435FB14063985A0F77BF2AD8	4701035F5CA29ABB9F1B281CE580E619B19098E1B028C5C9EDB7030CCAF350B7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	30F615F36481456ADD980387D1986D3B	E50D504834EEB059792C652BC447DFB544A70D1E	CECCF8E0593219187BE3D0BCC02BEEDA9CC2F5E573BFB152094F6DE9C1F78A0E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	30F615F36481456ADD980387D1986D3B	E50D504834EEB059792C652BC447DFB544A70D1E	CECCF8E0593219187BE3D0BCC02BEEDA9CC2F5E573BFB152094F6DE9C1F78A0E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\9e3c9560-4ba7-477e-8f52-1faf900f2741.tmp	JSON data	CA4A39EDA2CE4C5E54E7C21DFED12474	ADBAC989F03D511E0FF935497BBE0093749D7B97	ABA5FDC71103F69A78D1738B823208B432206059ABD3F4E9CF34A9E04B3DAF61
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	CA4A39EDA2CE4C5E54E7C21DFED12474	ADBAC989F03D511E0FF935497BBE0093749D7B97	ABA5FDC71103F69A78D1738B823208B432206059ABD3F4E9CF34A9E04B3DAF61
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	AC47984606CA09E4B1A7DEAABE9828F3	605CD7E6757F31CE17387BA3BA96FD636F5BBB68	D851DA14C00406EA4118B6285562D4EB4569868CD87FEE90E70BFF55C534B0F0
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	41260219F147821A0EB93DA474628FC7	B6C86BC3DD6F4C706B07C9E993EDD7E266C2F095	F04F16A97A57B5DBFDBB53509E21F0FDF5150EBB8695AAB7EB1D6C2010F03248
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	41260219F147821A0EB93DA474628FC7	B6C86BC3DD6F4C706B07C9E993EDD7E266C2F095	F04F16A97A57B5DBFDBB53509E21F0FDF5150EBB8695AAB7EB1D6C2010F03248
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db	SQLite 3.x database, last written using SQLite version 3040000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1	863BB379B267B2404CB64A3BC9B4A650	139EDCE2C64569B81175543D1DE743EF474F4432	F7C1BC02F430EBD015E45159D9FD9E18643C4CDCCBB7E7733A248C8393CAA88C
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-journal	SQLite Rollback Journal	313473EDEC38417C49B6E71B30D03631	20CDE9646CA2F51FE5A7BBDF5A7D442DC7A04F8D	BFB7A77DE9A83E5615B40DCC3648827F019641A0C05677B1698CD3AA16A485FC
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-shm	data	54954F3FF758D7E09E2CEA17214207B7	3D61AFBD96C6634A0C30E48804B69118E0BE0406	D662D9D7F738BEED162FF8510D919B9DE85808660A2CCDD9AFB21AC8FA0CD5ED
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-wal	SQLite Write-Ahead Log, version 3007000	81DFE50F65AC4EEAEA6DDC594015248D	BE4A96780CA2BC021ED56FBCEFD41573F60E2E4C	FD4CAAC0D32ED94BD042131141FCD0526DEF11DC4BC2AAC342BA6FDA3BC1B8E6
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2024-04-20.log	ASCII text, with CRLF line terminators	38AE504E59136955422A804D0973A64F	4EAC82C57F60EC92C0F32F605F8FC3C1DC0104FB	8E135A7ED45648D41ED7D471A61164E600F1070E3B5FE32EECFBD6531891598E
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2024-04-21.log	ASCII text, with CRLF line terminators	31988E8AB69D330DCC4333F26EA98880	66AC8553B991B5CDCCF6A1A76D5A61F129BDCAE3	7AF776BF54FF3ADDBB9F4D1B0A9F7976CE9AD031EB00EEF181A0DDFB5B08DAFE
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2024-04-22.log	ASCII text, with CRLF line terminators	36CFE0A6C62C535A7D9DF41E208C2594	82715265AB3EFB22FD10FD93AED7E1B998D3F2FF	4200278C93E29ED6261C09FA9182E7B9D0D261711137E568ED37E415EF42FE00
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\RFL\LocalMapping\RFLDB230	SQLite 3.x database, last written using SQLite version 3040000, file counter 1, database pages 8, cookie 0x3, schema 4, UTF-8, version-valid-for 1	F391306DD8BAA3198B26D3C80A906E19	6CD1B24D186F1CC68BF9097177DA5676C4A56422	62604481C477AF3F8813122011B9CEC6DDEE9A3992F3FAFE236E3E92FC62E680
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\RFL\LocalMapping\RFLDB230-journal	SQLite Rollback Journal	A878E63ED339D5DD4610F63621E6B34C	8227BA90A3065E144637E3B03C4F44BC629D5991	B369BBA287E99CA6C5513971C5CE7EE46FA8EABBC2D39C557A4FC73EF29B5BBC
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240420143044Z-639.bmp	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54	9228E81137A0DD888F2A51969C52D9A8	1681E02D03A65137F6E817F073E179D6B05E2CC0	7B45B3153A7C5C6847613EBA60546D5D8AD381DC77C13B454CE91FE2B93916EB
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15	1BE35575AAC8E9DF164F3899FEA1BF21	D995D3F24D30316D3A7B04AE6429EED4F9FFC09D	840905BE0DB7CAD6115C87D2B69C050C167D4484064874320B657621110235F3
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	0745D7F3A07F15E1734F1BA1CF997862	8B6ABBCA39625876553E399C309AB58B15EB0607	CE438F56476BB24664D3FA07F36DE5074C61DE79C1F9E9A82F125630CD21B153
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer	SQLite 3.x database, last written using SQLite version 3040000, file counter 1, database pages 23, cookie 0x11, schema 4, UTF-8, version-valid-for 1	DCD066A1C8CA38D94ACA4E5DF6CA20BF	0C670E7CB31FE1CFD952082C3629AD8861BFD799	E484D26709945669E18A3D0A7F95E3EA943D4170736EDD8FEDFE3F69A7B8D25E
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer-journal	SQLite Rollback Journal	6445A1EF229AC4EE281D2FEE004B1D54	4F65CFBD5603417D53A3DEFA21396694B177A4E3	F9BD7DC9A31F6D537077A1E56924E13B95BC14A7591D49B4C99C26A813CCCCB0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.1440	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat	data	7938102842DA76FBBAFB494874190C8C	906F05823571478195A00737B82A1281B04DC305	3C7EF06D6BBCA859833DAFBCECFFE16E53C1FEFD27120F0A65D66D6A94674664
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	CA3A914867C62696146B0887D12A4AB7	58A27983644762139276832F69D40F74ECF79292	D79DAC3A39C65689C3285EEB12E4617F06F0CFE739DE8E8A0C3A800F84105CE0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	D4885F52A772B513E2611C32153A42DE	514A55004C28EDC94A171E5CE30741A0047FD19C	6DFBC99495597EF506E4D7F7B198E3EDA10D0EAFBAC83B5B33D796A92769B4A2
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	DBF3DBE2BBEC92DEF7D9C2F253477415	4E6DD9744425F7593D318FB5D99D1C0925005584	83522F95AFC51D396080375DE8B956C16A10DD5DC35D8033B5528ECBC8624B71
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	DCF5D8E969103520D01C9A38176B5F04	351DBDF5C7BD824683948080C9165ABDB1EA4565	74726173CA044E79BF9A6335580CFC316EDEEE6A8276E7D32E01481225F16419
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	8EE03C28DEE7D55DEA50426E9B7F3040	FEE05902C9D2DE33013EF9A53EC2EADDAE8EBE07	B9E943C363CB6895855DDA9AF376B288B7CB6E102AC7B359B3ED13EB4EEB6084
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	56F1E853689C1D2B6CFE93A1DDFBDFAB	E59969EF81D9D438FD1EC9A45B92269438D7C524	6DA98EA9BFF55FD7E9B9DE94E68DFD8719A7D712EDA609EC418F811FCB9B414E
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	A617E3F83538F1788775A36783984C2F	02E20AC6AB77A71E6EF0002B87F341E029251278	66BDC68160BA5FC8DA122C22F8774E49C144FF498B97D2647D0621ECAF799230
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	79F50581A725B3D4CD6492B30BA73449	DE7BB4AD4C052F6B6062266797BB47F17D559807	E70F8308A19A21B956A820E59623637DC36084870F95C67371FD027E4C1EEDB4
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	7CF3C50CA34631E2693A60AA8953E45F	DEF9A6012CB0C93957131CE23BE7FB4D320F4F15	83535E84F77D533D31F8B6C14DFFB77914F8692733A93B389D09408188AE13F0
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	F719FF88867F4AE3D9E271B625274D14	2940F7914F114FC902ADFBB55A513E469A61447D	5B9A05E137ACEDEBCE49937561D3EF493922E161DF79B9D0B259E52B877EFCFA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	4F4E6B4D2683171750A8C6D75AAA1DEB	BA936117ACC5C70961844D55E0911A184D96CF42	28E29E778A98AEDD13570B9E6E6B98E5289D8303CD6204C847BF149333FAD068
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	502FCAD34B2ADC5EAD0B46053D7C3414	329320C922333F6D2BA1EB38A78A02F6C00A053D	E8FBDB2543E93E244DC470A2811617B3E50CB702F17E05291D2C4E6BAD217901
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	0C7FECE3E98C630CA722667BDD2DE214	B9ACA104753A09B75A45D8FDCAAD1050F8ED47B0	6356E787F413039F47EF49BF2E0FA275E2FC16C422D01DFC25ED6658ED331CE4
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	52F11E5112892AC6ADF272D9B2E16DE2	6952317DA952277ACEE89E7E7B5F56C1F99EEAB4	FDE6DB59B42D9F5608B9A846724EECECD9E52D59CA2C6AEC130C87A21099F74F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	08F40DA913A618D3E5747EFB887234D8	E79B4D54ED4E2752E7A13CE2351856F427E3CDDF	A8443E88DC08AD03B173ADC6CB552BD7237272469B34F8F267FECF3D42E6878C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	E10159B10A708B2C20208DA964E8C5B7	3BC9AFE906F18348F1463FC696AA9F43C912B544	A285F3B343826E3883AA05CA4589696F95FFC147CD4AFA61B889A94454EA8DD5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	9B48161B28B3F9E8B4F6E45E5894D6C9	4C6085F483F5C9350390327C4573762D105F3D67	E1F8BC835B7FED3314FFC0CED7B873305C69E316BE0A7473001A2F046D4B2810
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 30, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 30	DA4ACD4411691A799796659CF6D7DEF3	BB80F09DBE063F88C9A8F4F1DF6A1146B5C4146E	05045FA77C83E878EA2E27CC97CFB6ED3A71E6D2597F48B0F035985A19580EF1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	D71949411186C6B643E89A0267352E64	6E67F8395F78D17E17D4F7DAD35F47378100CF69	E233EBCEB58ED20452D43CE98F2376D5F75BADBE93DD5393807ADA6FCA7A0603
C:\Users\user\AppData\Local\Temp\MSIee400.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	818D18AC3DB93FA52BEAD1825CE5EC6C	5950B6E38A0D30D0184DAB880376B0E134EBBADF	45954769AB20B0D0F8BC8F23000A485CECE81289BAFB36678285F116A5006E3E
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A913kty8z_1winama_140.tmp	PDF document, version 1.6, 0 pages	340166471EEE92CBE0E107A3B2B7CE53	6AAB7B186E17743814AEBDE9CA9F9837F2DAC03B	99775880B3A095F9CF878B376EE37E501735B8E60CAA079720E2EE597C4A4099
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A918mvra3_1winam9_140.tmp	TrueType Font data, digitally signed, 25 tables, 1st "DSIG", 58 names, Unicode, \251 2017 The Monotype Corporation. All Rights Reserved.	73E8F40755D7CEA2720894C6586AAA43	F078A6015C664983172C86BB28175020654E4EEE	C78F9A4198762CCEF5CCCBF8E804F9241B24109D24BB934F02CD76A75F37F332
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91ntni4a_1winamo_140.tmp	data	44CB7CC7CADD525702D05857FD112189	A3BCD3134EFDCD21457D2E4B106F1EA69DF0D9DB	856B125CD77D6A7FFBD2FB78B5BF047B304C7474CE4CB8613BF7816E7BF38E66
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9h8w0s7_1winam8_140.tmp	PDF document, version 1.6, 0 pages	6FEC7E5DFC5AA3CBFDFC45D81ED95D0F	724C9CB496D7733AAC911A30E46616FFFF3D3B02	AAAC248D8CEAE541BFC159C4BBEE7C03CE767F8F63712513C07CB84D8151AE5F
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-20 16-30-42-889.log	ASCII text, with very long lines (393)	8947C10F5AB6CFFFAE64BCA79B5A0BE3	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	674D0517FC5159F124928CD4B0DF0653	CE82CD2D2127B807AE04FAA8686E39FDF4B2B0A4	B51C49CF309456444E68BE8521935D2BCC5C4B6DF4163B38BC1F7F3CB566DEE5
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	90E612273AD335E63D555F66B603454F	BAA166651EB99762AA7527F69EE401662FE971C8	A75FB7206406B94133088B131CC689ED512C958E2757F54CBA4B6DAFE65BE6A6
C:\Users\user\AppData\Local\Temp\acrocef_low\346c0aee-8634-40a9-9f3d-beb58f1294ef.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 921996	C14EBC9A03804BAB863F67F539F142C6	FD44F63771819778149B24DD4B073940F5D95BFA	A495629FA5E71EE50BB96F9C4CAEAC46E8B44BFC3F910A073348258F63DFAFCE
C:\Users\user\AppData\Local\Temp\acrocef_low\479c758e-0eaf-41c1-bae4-3e2fadc726fe.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	A0CFC77914D9BFBDD8BC1B1154A7B364	54962BFDF3797C95DC2A4C8B29E873743811AD30	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
C:\Users\user\AppData\Local\Temp\acrocef_low\8061cff2-101f-42d5-88d8-7d5187f20fcb.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	FE1669C6A66EA60C977202606F8DA6DB	054250FECC9293AF02C8D8E6910134CD74BC3A23	B9BFC61A0E9F6D2FBAD4A401CBB676B9A300ECDE2357F73BFB62505216477D54
C:\Users\user\AppData\Local\Temp\acrocef_low\d512b327-69fd-4610-8fb6-0eb6cdc20fc1.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings	ASCII text	DD4A3BD8B9FF61628346391EA9987E1D	474076C122CACAAF112469FC62976BB69187AA2B	7C22C759CA704106556BBC4FC10B7F53404CA1F8B40F01038D3F7C4B8183F486
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav	data	5C6B932A79952B4B27833691305E61DB	09804DB0986A989C2C49CDCEA563567FB4C7B1A0	DEE5A5925227B125F4AC6D9B70A277E6EC8494FFC73D1CCE9E08CC7A78D6208A
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav	data	6A614A7743B0C781AAECA60448E861D6	67B7DF5EBEB4527E4C31F3F9B7E52A0581DC4B6D	9703120DC62C2C3F843BAD5B1E77594682CA7820F0345AE0BBD73021C1427146

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49737
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 52.5.13.197:443
Source: global traffic	TCP traffic: 52.5.13.197:443 -> 192.168.2.4:49738
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 23.54.200.159:443
Source: global traffic	TCP traffic: 23.54.200.159:443 -> 192.168.2.4:49745

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.5.13.197 52.5.13.197
Source: Joe Sandbox View	IP Address: 23.54.200.159 23.54.200.159

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: /Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159
Source: unknown	TCP traffic detected without corresponding DNS query: 23.54.200.159

Source: global traffic	HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, /; q=0.01x-adobe-uuid: a4ecfc44-3976-4051-8c45-0a7e26b55a37x-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Source: I&A_mileageForm.pdf	String found in binary or memory: http://www.aiim.org/pdfua/ns/id/
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSr
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C529260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/s
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52906F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/e
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp, EntitySync-2024-04-20.log.2.dr	String found in binary or memory: https://comments.adobe.io/sync/
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/&u
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/-
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/.esuser.
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/0
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/0t
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/3
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/5
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/8
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/:t
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/Cu
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/D
Source: AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C529260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/S
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/Windows
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/e
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/ju
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/n
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/pi-clien
Source: AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/r
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io28)
Source: AdobeCollabSync.exe, 00000001.00000002.2970690946.00000294587BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: FullTrustNotifier.exe, 00000010.00000002.1813207671.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/47

Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: classification engine

Classification label: clean3.winPDF@40/61@0/2

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9h8w0s7_1winam8_140.tmp

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);G
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0));_
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C529039000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C5290AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C5290BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: AdobeCollabSync.exe, 00000002.00000002.2971863917.000002C52908E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select rid, url, state, lastsynchronized, ttl, skiphours, skipdays, synchpriority, synchretries, flags, contentsize, cursyncetag, cursynclastmodified, cursynccontentsize, cursynctotalsynced, responsecode, hash, guid from resources where synchpriority< 50 and state !=0 and state !=5 and ttl!=2147483647 and flags & ? == 0 order by synchpriority asc limit ?=;~
Source: AdobeCollabSync.exe, 00000002.00000003.2716714595.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2286813002.000002C529268000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2350913944.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2297374515.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2972363435.000002C52926D000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2676306990.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2879713769.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2797758676.000002C52926C000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2318202667.000002C52926C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL)T NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status))UNIQUE (content_item_id, branch))<;~

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vccorlib140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: appcontracts.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdprt.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wldp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: propsys.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: I&A_mileageForm.pdf	Initial sample: PDF keyword /JS count = 0
Source: I&A_mileageForm.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A9h8w0s7_1winam8_140.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A9h8w0s7_1winam8_140.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0
Source: A913kty8z_1winama_140.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A913kty8z_1winama_140.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword stream count = 97

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /ObjStm count = 12

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword obj count = 101

PDF has an OpenAction (likely to launch a dropper script)

Source: I&A_mileageForm.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: AdobeCollabSync.exe, 00000001.00000002.2970690946.00000294586DC000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000003.00000002.1706311165.0000018B814C9000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000004.00000002.1705333970.000001BDE919A000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000005.00000002.1725526727.00000266248A8000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000006.00000002.1724500565.00000254CE199000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000002.1746043376.000001C70BEFA000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000008.00000002.1744578255.0000022C75698000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000002.1766045414.000002582199B000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000003.1765630948.000002582199A000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000A.00000002.1764877053.0000023B81588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeCollabSync.exe, 00000002.00000002.2971304927.000002C527208000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000C.00000002.1785175847.000001D0A6028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: AdobeCollabSync.exe, 0000000B.00000002.1786467257.000001AF4C688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1429077
Product:	CloudBasic
Start time:	16:29:32
Start date:	20.04.2024
Sample:	I&A_mileageForm.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b568796cfd232fbac356dee878e8bfe5
SHA1:	4c4faf0406d299c7763f7e2c166a180f88fdb35b
SHA256:	625134da02fcda22e28fb938495e38717ddcf61df6df1f90cee39d712e3c0c9d
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Windows Analysis Report
I&A_mileageForm.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\I&A_mileageForm.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=6352
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7316
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7416
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7524
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7628
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7728
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1540,i,13543496977365774410,5141392604321544278,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=6352	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7316	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7416	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7524	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7628	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7728	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1540,i,13543496977365774410,5141392604321544278,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown

Windows Analysis Report I&A_mileageForm.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
I&A_mileageForm.pdf