Windows Analysis Report
$DS_122189.pdf

Overview

General Information

Sample name:	$DS_122189.pdf
Analysis ID:	1430204
MD5:	cad17bf73508e70f9b340a734d60f4b5
SHA1:	cd2968de952f8af931938a0e1b31a86988fa8276
SHA256:	fa4c0ad480121283cfa6a970fc3e9314eb03538f91163612e31547bb3359ba90

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Monitors registry run keys for changes

Contains capabilities to detect virtual machines

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 192.168.2.16:49707 -> 104.72.156.136:443
Source: global traffic	TCP traffic: 104.72.156.136:443 -> 192.168.2.16:49707

Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136
Source: unknown	TCP traffic detected without corresponding DNS query: 104.72.156.136

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: classification engine

Classification label: sus22.winPDF@19/37@0/36

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6200

Source: C:\Windows\System32\Taskmgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-23 10-13-10-560.log

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\$DS_122189.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1848 --field-trial-handle=1556,i,4073988743436467059,12195474869354941781,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding D5C028F5C7F721BEBEA8911F8E426BFC
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown	Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1848 --field-trial-handle=1556,i,4073988743436467059,12195474869354941781,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown

Source: C:\Windows\System32\Taskmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32

Source: C:\Windows\System32\Taskmgr.exe

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: $DS_122189.pdf	Initial sample: PDF keyword /JS count = 0
Source: $DS_122189.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: $DS_122189.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Boot Survival

Monitors registry run keys for changes

Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Source: C:\Windows\System32\Taskmgr.exe	Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\Taskmgr.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.72.156.136	unknown	United States	3257	GTT-BACKBONEGTTDE	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
23.221.240.182	unknown	United States	8612	TISCALI-IT	false
107.22.247.231	unknown	United States	14618	AMAZON-AESUS	false

ID:	1430204
Product:	CloudBasic
Start time:	10:12:40
Start date:	23.04.2024
Sample:	$DS_122189.pdf
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cad17bf73508e70f9b340a734d60f4b5
SHA1:	cd2968de952f8af931938a0e1b31a86988fa8276
SHA256:	fa4c0ad480121283cfa6a970fc3e9314eb03538f91163612e31547bb3359ba90
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	57E820204B59D414163BFF8B8228C92D	F367DE11FC36D2E3CED170FD797A6252FD45ED79	52E7C7954129D3F41F25497217BA36E3F0E8DA7282F463C529F709AF3E4848DB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	2B6025B053F506813CF6C6D9BF0AC4B6	89639B8A9F2F6EB7CE58374C1EB392B060C1C5A1	7182BB828033471C40C17875A1D7F8252666014B2A2BA074F65D6E439E4879E9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	48F580637A10FBB69C0C270D0D1A27D8	989701C236B138B27EFC8D90E110DEC2EA094765	DEC75B40391B661DBFB207EE303308D3F79413354D9EEB5EB47B7DCD89774C52
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d6d82c44-7576-4295-9646-f7b12d673735.tmp	JSON data	48F580637A10FBB69C0C270D0D1A27D8	989701C236B138B27EFC8D90E110DEC2EA094765	DEC75B40391B661DBFB207EE303308D3F79413354D9EEB5EB47B7DCD89774C52
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	B072604024FE007D07B884C3CABD706D	2C7B21D2F644CF4063DAAD4E2758A18DE7D50DB2	D5949761D4E22E320CB49E0E39FD060ABEB8EFF55594375D3FC1364903C4E66B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	E72FA39EA10CE82B61860C340C9F69D7	83C0B844D0FD2F6CC6FA2AA2D507FDABEAA73DB2	18E3665390693105DAEE7A8FB5B395DE1A1039A52DF1EA6B372F4330D349D9B9
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240423081312Z-161.bmp	PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54	CFB31DB14C1CA566154293E53215BDEF	F9C3E7CEACB9A5297CA88F04FF39501E4C2E4A5E	B04931F1ADDB13AA14E16410361E0B9CC8EB4FB1FC95ADD9432ECADBB88AAEE7
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 2, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 2	A4D5FECEFE05F21D6F81ACF4D9A788CF	1A9AC236C80F2A2809F7DE374072E2FCCA5A775C	83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	0C1CE16F9BC9701A4661184614AC99A2	F3A8D1460382EA47C5A547A5FC68E9145C48C642	2FF1A46537FFCD24B75D6D0DF3414D9C918FF110995052565CF439226CF60A3C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6200	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	45BFEED8E893721253B9B01D1A05E8F7	64EF957ADDC4878A7C18A668CCEF29AAABC7F35E	1767211F1E9AA39B1BE2E09FC049F423AB4C87A4D4613252AB2A2E83011A3CCE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	04765562EDAD2F1B42C4C6690257A828	C275679F85901D448C906505F0C5D9B55F3F8E0E	07B2D8042EDADDEA0B8D0DB466290A1FCCDF32AB52581C6FF312BC973EAD380D
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	31BE602EFEEA682E0B3A104EF35DAF86	61C017C7F4FC328F27CF9A0B466E9C50F2B71B49	B4FD6A4A0FFC269D559BD7B94D4CB9FA67DEE90E6A99FE63E230EC9CE5416C18
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	BD7BCC7CF6E8CCEF48A570B2E611F147	1BC7FBBA4FFFF9E9E5594E3F8475F184015D0954	E7F9B402908B3C15B0A35E4331CAB147747F00BEC5F674FD84D26422AE9F4510
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	E8C02DC81071FE73738DF601527FFBBA	AF95B32E52778E3C5A0C320C3B01A53CDDFE682B	77ABA45653A693E7AA4000EE7FFDE47C11628EF9E6D1820E9BB05FEFF46D311B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	C81F9ACAB1E783C06A2E4CA04720674D	B1588A1A5FEDBE0D16D8186F7EE4C98E75A44928	8C79B6784E5DF5FC7B831105A523F3608634B8591AA9DB7515A5A6C12E03A0CA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	FBEAAFD7E90D74745E68AAEB4ADB5CA3	74D45A3408CB6C1C9BD5D7020AEDB1B04B488A11	A71232FDAF02A46FE7D7EC6AD37BF807280483CBDB8A9C8E86363E8616BC37E1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	7B639DE4286019DF422BEAF6EFADD695	88430B5050149E3200C08BEEFDC7E5463DCE67CD	6D41110E9F2389714C6EB3200B1C5350CAF50DEAC6F7DC36E9DCBC2A58532349
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	449598FDD35878E5EFAFABF9D30A1240	6F64EB3FBAB12650F18A89846A94091C0CA30D93	94468833EEE3759E702FD351AA22ECE38DE72AFF6D776482D7F41B02E83E2649
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	82C8A2490A8F6C1EC0CFF491FB32CDA5	BFAB10A46C54D31AB81D0C41CBCE2CCE82C367ED	4CC3A1394E18D0F1BEFA576F67A78ADC7F6E016432D87A2310685838CDB6CDDE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	4D2FA9EB80F2F476DB13325E1BB1081F	D367F63666B1A0A18BDF11B05B4D6FB3DB8C2559	0962DC2D769CD2EF4131303498285A56F5DC619A7BBCB1EB8B30645AC801525C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	7B8A5F2D8D9CEEE7B18D57C50795DEEB	5F770381E22E4196941B9E9C9B2CADBA35C1E49B	88757DB1B6F732C43BF3BF7A55DDE682D55A0D1178E536A20FE4B2158198F439
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	428A190701C77BD0D3B470DC6E16F58E	E7A9C546A83BD39FE7AB9602029B274F7214F3F9	94490A834EA2CA041DFFDC4E82460E2E2B838A4ECBB2C236973B03986FA12836
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	CA94631A9565C30ADF4213B06981B1CC	2037B09CFD827B28A6B6A12E03167315E61BFC46	6634AFDD917882D4AC5DF9EF9BD80E291C071A14A43D9C184E4BA2EEA619D17A
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	7A86793E39ABBEC8A7861BFBB0ED8B8C	E8A2BC6A3C5619E537766376E5BD1E829688918D	8D6577E9BB1D17BC331C7E2C62E82DA5F61F707A4EDF872D5352812E9F63DC2B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	4A53C43FD28550821CF35D17A0D3DEAE	647331CA1B4710EF86DBC3439F03FD9520AD4998	4F8952E5F233F7DF168E9BA395A2E004A7184E29A84E5850CB8C9D5E974B9288
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	739396893CA2916FE946C1F4DFC27780	67237F0CB1FA07395B3C7B99FDD84C9816A9F07A	548F151C09ACDAC38F7394C5393C805B68AD89ECAF4E96BCC65FCBDE73273AB3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19	931A44B647328060005DFAA3A120A8BC	947BA86665F262F9397230E180C2DEF550BB3F9F	B6F090A35BA49633F42B5F1E3BAB2A888FE092BACE1AB2C2C17D932E08775607
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	C2ED107C309F20F0C0BFCD9FFB11BED1	38ED608CC271995183611849AC2C4E5462532545	561E24A2470E4B33B0F274B155EC318F663E651E0E4AE96E373599A2871737EE
C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	ASCII text, with no line terminators	F49655F856ACB8884CC0ACE29216F511	CB0F1F87EC0455EC349AAA950C600475AC7B7B6B	7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
C:\Users\user\AppData\Local\Temp\MSIf004d.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	84014AA643EFB29C45D8642746A8CBB0	E84040786487F16E005AD6D9F684F8CF646CDDCC	DE5F2E402C059CD5E533FE0B2B4731956349299E6D216C5ADA1766BEEC171E96
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-23 10-13-10-560.log	ASCII text, with very long lines (393)	91F06491552FC977E9E8AF47786EE7C1	8FEB27904897FFCC2BE1A985D479D7F75F11CEFC	06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	2ACA4BD181851A7E49A932358E22ABCE	57C8A71F739312B8672A6E6C13B5ACE8EE3ED2F0	E404DBAE4C4A4C0599C8675A5AB22237D5F950575D39D70E19D082315E113D5C
C:\Users\user\AppData\Local\Temp\acrocef_low\0c9825f3-29eb-4c77-824b-7c2acb60e301.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\47b4610a-c661-4adb-b0cd-52aeee7ca86f.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\56f4097c-c06c-453a-bafa-5051dc5285ea.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	1A39CAAE4C5F8AD2A98F0756FFCBA562	279F2B503A0B10E257674D31532B01EA7DE0473F	57D198C7BDB9B002B8C9C1E1CCFABFE81C00FE0A1E30A237196A7C133237AA95
C:\Users\user\AppData\Local\Temp\acrocef_low\7ef97469-ea4a-49ba-8dd3-032afbd2a507.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	22B260CB8C51C0D68C6550E4B061E25A	DF9A5999C58A8D5ADBB3F8D1111EAB9E4778637E	DAB1231CC22DAB591EBB91C853E3EE41C10D3DA85D2EFAB67E9A52CCB3A3A5A0

Windows Analysis Report
$DS_122189.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report $DS_122189.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Contacted Public IPs

Windows Analysis Report
$DS_122189.pdf