Windows Analysis Report
00. business card_Luca STRANIERO.pdf

Overview

General Information

Sample name:	00. business card_Luca STRANIERO.pdf
Analysis ID:	1431108
MD5:	8729536ff1fc73f263c67050fa1e9aaa
SHA1:	4b2445ddfdae6a556102f466d8dc51711b0c0bb9
SHA256:	0be36f317fbd8ac2ab33fd81020ce6d768ea60f0fbd850b12efbe42f26f71e39
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains long sleeps (>= 3 min)

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: chrome.cloudflare-dns.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.159.61.3 162.159.61.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppb2
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS5
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adob
Source: AdobeCollabSync.exe, 00000002.00000003.2474174803.0000022A37E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000003.2474174803.0000022A37E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schem
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000003.2400254283.0000022A37D1F000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2739231297.0000022A37EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000003.2400254283.0000022A37D1F000.00000004.00000020.00020000.00000000.sdmp, EntitySync-2024-04-24.log.2.dr	String found in binary or memory: https://comments.adobe.io/sync/
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/-
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/b
Source: AdobeCollabSync.exe, 00000002.00000002.2895075237.0000022A35FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.iorobat.com1
Source: AdobeCollabSync.exe, 00000001.00000002.2895077233.000001DEFC3D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io153952.552:
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: classification engine

Classification label: clean2.winPDF@40/55@1/1

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-24 15-39-27-473.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37C5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe, 00000002.00000003.2728708884.0000022A37D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: AdobeCollabSync.exe, 00000002.00000003.1667612689.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668010695.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668242366.0000022A37C73000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1667423091.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668930216.0000022A37C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE resources(rid integer not null primary key autoincrement, url text(512) not null unique, state integer not null default 0, lastsynchronized integer default 0, ttl integer not null default 3600, ttloverride integer default NULL, skiphours integer default 0, skipdays integer default 0, synchpriority integer not null default 0, synchretries integer default 0, flags integer default 0, contentsize integer default 0, cursyncetag text(128) default NULL, cursynclastmodi@;
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select rid, url, state, lastsynchronized, ttl, skiphours, skipdays, synchpriority, synchretries, flags, contentsize, cursyncetag, cursynclastmodified, cursynccontentsize, cursynctotalsynced, responsecode, hash, guid from resources where synchpriority< 50 and state !=0 and state !=5 and ttl!=2147483647 and flags & ? == 0 order by synchpriority asc limit ?quot;x-api-client-id":&quot61

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vccorlib140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 00. business card_Luca STRANIERO.pdf	Initial sample: PDF keyword /JS count = 0
Source: 00. business card_Luca STRANIERO.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword stream count = 63

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword obj count = 66

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: AdobeCollabSync.exe, 00000004.00000002.1684521506.000002B29A1A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: AdobeCollabSync.exe, 00000003.00000003.1685308882.00000210F3F9B000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000003.00000002.1685924785.00000210F3F9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOOt&P
Source: AdobeCollabSync.exe, 00000005.00000002.1705700117.000001DADE1D9000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000002.1727780487.000001F125DAB000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000003.1727363942.000001F125DAA000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000008.00000002.1725757020.0000019AF4809000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000002.1746771609.0000020E64AA8000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000B.00000002.1766994449.000001DE917B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeCollabSync.exe, 00000001.00000002.2894222228.000001DEFA4CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: AdobeCollabSync.exe, 00000002.00000002.2895075237.0000022A35EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll88
Source: AdobeCollabSync.exe, 00000006.00000002.1704612512.0000020796A58000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000C.00000002.1765549351.000002C110CC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: AdobeCollabSync.exe, 0000000A.00000002.1745308289.000002AA6B608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;;

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.61.3	chrome.cloudflare-dns.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
chrome.cloudflare-dns.com	162.159.61.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	2EA689113B41DD00ED7694C177286975	A9C7DF1D1167B78D300E13BAE7DE43E49AB01CF9	89C39069F2B8875C00BC9A5C114C11AF6382617CDB1E680B2CB96FC7F8A743D7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	2EA689113B41DD00ED7694C177286975	A9C7DF1D1167B78D300E13BAE7DE43E49AB01CF9	89C39069F2B8875C00BC9A5C114C11AF6382617CDB1E680B2CB96FC7F8A743D7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	A59B09C0DFC8D9DCDEF6DB00F4ACDBF1	237F6CD5431BDA561B1E1A80EAC4CB17418A7901	94A80C444573DF0E6C5AC0C0BA229DE1672355ECB441760904BD8543BFF32845
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	A59B09C0DFC8D9DCDEF6DB00F4ACDBF1	237F6CD5431BDA561B1E1A80EAC4CB17418A7901	94A80C444573DF0E6C5AC0C0BA229DE1672355ECB441760904BD8543BFF32845
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\10f8968e-3d20-4c2b-95e0-00ed24e7ef60.tmp	JSON data	CC2FA1965E16FDC471E1BE81537D481C	F9DE401524A1D8F0590417190844B0915AF3F7B2	72B7CE6A7A1686834855BCA0C1117795EDAD5BC7E67B39D871FB0545C0AC2377
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	CC2FA1965E16FDC471E1BE81537D481C	F9DE401524A1D8F0590417190844B0915AF3F7B2	72B7CE6A7A1686834855BCA0C1117795EDAD5BC7E67B39D871FB0545C0AC2377
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	CE0425EA25046F8CC2AFE3ACD726D38E	07F281BC80945AFD7627E0031CC02CEF39D43C77	02000A5B10EAB2EC7A908FF5A7D1E2B1656EA8D4F072B3B429A5447F834216DA
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	1B764CFAC0523B181D19B7743127AE31	C94D3564854CC20DCE168B60192D9A4F8D712D9A	EF5A3A6DCAE17D0AEC27BB180DC49D3E6D59BB98328C3F83E84F036E35FB68E7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	1B764CFAC0523B181D19B7743127AE31	C94D3564854CC20DCE168B60192D9A4F8D712D9A	EF5A3A6DCAE17D0AEC27BB180DC49D3E6D59BB98328C3F83E84F036E35FB68E7
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db	SQLite 3.x database, last written using SQLite version 3040000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1	863BB379B267B2404CB64A3BC9B4A650	139EDCE2C64569B81175543D1DE743EF474F4432	F7C1BC02F430EBD015E45159D9FD9E18643C4CDCCBB7E7733A248C8393CAA88C
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-journal	SQLite Rollback Journal	50AFF7E77F653FA57800013AAFCBFFC8	FD86AA62FD851981681844722D5941E9DB86AE11	F17A7C06BEA76F55341D866D78D18828936E3A15E23A2534DCC3D5D24A72832A
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-shm	data	25A65E9D789AA0E76DCDB37354068C2E	7580A3D66291219E34323DD7AA6B8629909910D3	ABB8CB16D69D1BD42D12645DACD315E18F19AE1A4BC64902DFA6F9B50095A9D1
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\Adobe\CoreSync\EntitySync\80307f885d209ff3421f3adf000d6b1e.db-wal	SQLite Write-Ahead Log, version 3007000	92188444A850CD77E4363956958D8DEE	F505AB9CAF2A0888B510757D258D03A873C7639D	F2694AEDCC8CB48289FB8150ECD53E7E897B0C1B5C653E96EA59BB4273A54883
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Eureka\AcroCoreSync\CreativeCloud\CoreSync\EntitySync-2024-04-24.log	ASCII text, with CRLF line terminators	8D4E77356FAC38402201E40BF0C53CA0	9EF2A3EBB12B71C3F83BDBA0754B9F032C6A884E	33FD726C99E06DFB049F023958D5770CB4A4A8EC197369F1167A2172C38C772A
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\RFL\LocalMapping\RFLDB230	SQLite 3.x database, last written using SQLite version 3040000, file counter 1, database pages 8, cookie 0x3, schema 4, UTF-8, version-valid-for 1	F391306DD8BAA3198B26D3C80A906E19	6CD1B24D186F1CC68BF9097177DA5676C4A56422	62604481C477AF3F8813122011B9CEC6DDEE9A3992F3FAFE236E3E92FC62E680
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\RFL\LocalMapping\RFLDB230-journal	SQLite Rollback Journal	77BF4BF5B17BDEA16C62128DD6D661F9	FCBCF8A242C895A077BF238588E232D631405C0C	5C8794A8A7A625AECB51488FFF9B9848132036FA13ABBEC806445A668E29ED57
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240424133929Z-645.bmp	PC bitmap, Windows 3.x format, 164 x -106 x 32, cbSize 69590, bits offset 54	822879A103F26A8C0F80CBCDC7D829EF	7FE54B10A3CACE4E211B57C00BB46FE8BA209DE4	03F86B9F065EAF16E75CE45CAF74E44B622705BAECD2176AECACA051F352877D
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15	75A9C2BE9343BFF672FDDD4DAF3004E3	7854FE93157CAF9C447FB955E3AE9C7F14FB2710	A1FC6674E11FC1573A4C985D68574CB9C82B24D1C1EAA2A8DE1A194523D6E43A
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	B6AAF89D79B70E4504C319BE1052CD12	739455415F582221C8E37CB4EB4D04CDC5AAA1EC	E5EC6EE7FFE7BBC3257ABD74CCA0D652356ED1FE9FE0786C7269B48C6ED0F945
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer	SQLite 3.x database, last written using SQLite version 3040000, file counter 1, database pages 23, cookie 0x11, schema 4, UTF-8, version-valid-for 1	DCD066A1C8CA38D94ACA4E5DF6CA20BF	0C670E7CB31FE1CFD952082C3629AD8861BFD799	E484D26709945669E18A3D0A7F95E3EA943D4170736EDD8FEDFE3F69A7B8D25E
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Reader\Synchronizer\metadata\Synchronizer-journal	SQLite Rollback Journal	0F9EA7DDD93720E0D4E3AE39388B490A	0E37EB142F1D0C282DCC49392AC6EBF979900B10	F5B9FB07163D54DE15D01FBB534C4FD6A17C5E707E560F98974330B309B29B9C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7728	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat	data	0F5BA36A39A7B94F676CBB19112CCB0A	64FD43A0D17337401895645D42C2502606832969	143AD347A543E2012B592CFE0DF0F675D1A33E269FBF341AF960210C363AA49D
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	DCC9901EC3D04FF30A43B80BAB49D8A0	F71CC5DE4486DD0987974C859222BA7B26666820	25E76E016A234AAAE00C84366029DABAAFD5250E69119D450E3221614D450E60
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	A04CDACC1C7D68B577B21D8DDEAF8245	EF3E047594436B548389501B74C7DF24BA9C93FB	41B9CF66A3D0666A9FE038C08328B8B082E68C459EA5E98A382214DD57ADBF37
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	2E9EDD1874BA83178E831508CCA91C71	7F72A5E36885D4B20E992E37CB4D77313E64BABD	7E7A3A0B6C30735EFCB7EC1B16FC5FB29990B323F08B4F96948A67C4CC48442F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	55097347A8C0ADE6B1F6C50B0BFA3807	4D9428670E3A1F83BFE11D53D2627CAEE9DA9CF9	6FFF77BF0957E82CFA70671AF27ADA99D9EB042A0EFD1DF8F50645F3D27EE479
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	7337E497DB42084AF655CC6105096E70	AD2B0EF8A2C949C6C20EFD2959083501A8E506D0	FB1C4D5F2204A1ABBBE937D427393289506876116643850F575A3D0275266795
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	CD08F80A2CDA2CEB6A87C7E1DAE5A262	BF1DF3617D96C99FC1FDABBE566C4FDD76CC5993	00770B27AAE7FD3B69432CADFF9F9D1DDA9D7E9C737A32242E292489B21C549A
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	E89443BCF9B85E0866EBCF55CE31E5E1	2027008B16D296A166D5050CBD5F3B5FEAE4C7A7	07D085803D2B719F9531E0CD0EFE4B2A107D02B97DD93C21454D64ABAF2407E8
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	91EA2A282970EA6B8C3513CF962F781B	A5AE72B8BC6F507E37381A24A914BF457CCE7A44	096DC33CA2BA9886D86A8505A65499B847AFC52C99B386365CEF3E61130AA5B1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	9384381140127FBB23B22A4E68459374	81C6DF839272DB7AE06C408CCECFABCC96340DD4	4C757F000B413C10D148B276EA01A224667C4817175097D58D5D24340F6654D5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	CE7A1995443A8A5E8439A5E60296EF69	38B8CB83C2005DA6FE5DFEEA7BE4B4186FEEDA55	2E0A6E5DB10B2383CBDBE5063FFE9D188A8F6C40948F9E2C6FB5E8FEC40E4946
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	8165F0E0D711D2DABCF9527DD186AE75	0EBE4BB4016FDECA324BD13458AA601C8677F99F	CD78C0D9BCB374385C46C59A12ED87E9E94449EEA93DFD5CF3A0B6F427388D27
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	ACD61CC688D1644C2A457E0410E0922F	8A0C0CA6FF0A50B04BF55B9491C477947BE07E54	70D630BF1F0E7D075CEEE0C0047EF561652ABCDE947CD380A307FC7C5A4FF121
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	20FAE61E3ABB705FEA51BA55F9CC46A2	EC07F22B0E4851667352B2AD116FEFD18F63A8B1	76C957100CDC8250A516D02392CF5B4BC15315F0D72112ADC8CE506317A81729
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	5C6C49FF3FCA5E2D737B6A71C10241A0	83067FE6620115B077BB2F6074E36EE15F408188	8DDF072D9AC27E971A2FD318DEF35F6B98A722A7A8327DBE0D060491CEF122A5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	C4E5A9E7254136E6D3CF2B9E1603E82E	D5A26CE88F9221D640B9B9F8D0A9E69E50DE7BCF	B8FE953F724194480031B1FAED0D08D915EDE38AA78593E86E8EE2F2C36D3B3C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	7C671D67C5432FA88B63960B727A730D	9E91DB760F5DC16E64E743C763E6A8C1E2B868B8	B8CF47D95242F6003379BF3E7159D276B38984EBEDB87D5C6CD80B9973009091
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	A892AE3A8C1CDC377780965144B31C66	DEE7BE5EDBF1741EEDBAE2CB015E15457CAFE041	9E03C8B26E8E41123DA110DECBF2F05CF887118FD93B1B1C828899C29F4086E6
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 30, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 30	2147356CACBE7289A8E2A9F67A3C7A84	781D0AF3A0E9692B1F668E114F0003A82798CECC	FD92A058CF6CD628A0BA62CB59DCBF0B106203ECEAF27B07B4754D15AD69016B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	AC78125C188A5580BFEB07F466B096A4	55BDD38A36925A8B72FD27D738C32BA43A54F5E6	DF6A87323EE36CCDEE777802B433F452F9131DCDE56E1F2A611B74396B1228E3
C:\Users\user\AppData\Local\Temp\MSI16d34.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C1BCAC28172009DF06C5E628A45B9FE4	5A3A522343BB3AC5E9F5EDF9CEA7319DC2859A39	009E7AD133EA7668BFADD1817AA7402DA9768E6089F218315822D8010D9DC1EB
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-24 15-39-27-473.log	ASCII text, with very long lines (393)	8947C10F5AB6CFFFAE64BCA79B5A0BE3	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	FA485FDDADE4F01B7121E86895CB936E	B34A878A03D587CEC62844DEE969C7C01F15908D	C126373307FCE43F0533DCDE6D1AECB33E0D829F84BA86AE0FD4EE2F243B36CE
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	20587C92C1E127297E0B58D578E05133	6BFF446BC799A6D5CC4324F2EDA0300BFA90626E	96476D79F73E4F59625A815D52EF9F8939109BEFB0D5D32EDEE1DD49584458D9
C:\Users\user\AppData\Local\Temp\acrocef_low\6da33d09-8603-4fc2-b762-3712b3b00257.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\b68055ba-c295-47f8-8028-93cf53ec037f.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	716C2C392DCD15C95BBD760EEBABFCD0	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
C:\Users\user\AppData\Local\Temp\acrocef_low\be6a46fb-c61c-4598-8e8f-50c663b3681a.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	18E3D04537AF72FDBEB3760B2D10C80E	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
C:\Users\user\AppData\Local\Temp\acrocef_low\dedad9e8-40ea-4d5a-88c2-135cd69fa7ab.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings	ASCII text	DD4A3BD8B9FF61628346391EA9987E1D	474076C122CACAAF112469FC62976BB69187AA2B	7C22C759CA704106556BBC4FC10B7F53404CA1F8B40F01038D3F7C4B8183F486
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMDocs.sav	data	5C6B932A79952B4B27833691305E61DB	09804DB0986A989C2C49CDCEA563567FB4C7B1A0	DEE5A5925227B125F4AC6D9B70A277E6EC8494FFC73D1CCE9E08CC7A78D6208A
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\TMGrpPrm.sav	data	6A614A7743B0C781AAECA60448E861D6	67B7DF5EBEB4527E4C31F3F9B7E52A0581DC4B6D	9703120DC62C2C3F843BAD5B1E77594682CA7820F0345AE0BBD73021C1427146

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: chrome.cloudflare-dns.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49740 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49740
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49741
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 162.159.61.3:443
Source: global traffic	TCP traffic: 162.159.61.3:443 -> 192.168.2.4:49744

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.159.61.3 162.159.61.3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppb2
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS5
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adob
Source: AdobeCollabSync.exe, 00000002.00000003.2474174803.0000022A37E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000003.2474174803.0000022A37E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schem
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000003.2400254283.0000022A37D1F000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.2739231297.0000022A37EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe, 00000002.00000003.2400254283.0000022A37D1F000.00000004.00000020.00020000.00000000.sdmp, EntitySync-2024-04-24.log.2.dr	String found in binary or memory: https://comments.adobe.io/sync/
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/-
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/sync/b
Source: AdobeCollabSync.exe, 00000002.00000002.2895075237.0000022A35FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.iorobat.com1
Source: AdobeCollabSync.exe, 00000001.00000002.2895077233.000001DEFC3D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37CED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io153952.552:
Source: FullTrustNotifier.exe, 0000000D.00000002.1792383673.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443

Source: classification engine

Classification label: clean2.winPDF@40/55@1/1

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-04-24 15-39-27-473.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37C5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe, 00000002.00000003.2728708884.0000022A37D12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: AdobeCollabSync.exe, 00000002.00000003.1667612689.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668010695.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668242366.0000022A37C73000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1667423091.0000022A37C72000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000002.00000003.1668930216.0000022A37C6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE resources(rid integer not null primary key autoincrement, url text(512) not null unique, state integer not null default 0, lastsynchronized integer default 0, ttl integer not null default 3600, ttloverride integer default NULL, skiphours integer default 0, skipdays integer default 0, synchpriority integer not null default 0, synchretries integer default 0, flags integer default 0, contentsize integer default 0, cursyncetag text(128) default NULL, cursynclastmodi@;
Source: AdobeCollabSync.exe, 00000002.00000002.2895596795.0000022A37D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select rid, url, state, lastsynchronized, ttl, skiphours, skipdays, synchpriority, synchretries, flags, contentsize, cursyncetag, cursynclastmodified, cursynccontentsize, cursynctotalsynced, responsecode, hash, guid from resources where synchpriority< 50 and state !=0 and state !=5 and ttl!=2147483647 and flags & ? == 0 order by synchpriority asc limit ?quot;x-api-client-id":&quot61

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vccorlib140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: appcontracts.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 00. business card_Luca STRANIERO.pdf	Initial sample: PDF keyword /JS count = 0
Source: 00. business card_Luca STRANIERO.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword stream count = 63

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: 00. business card_Luca STRANIERO.pdf

Initial sample: PDF keyword obj count = 66

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Contains long sleeps (>= 3 min)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: AdobeCollabSync.exe, 00000004.00000002.1684521506.000002B29A1A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: AdobeCollabSync.exe, 00000003.00000003.1685308882.00000210F3F9B000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000003.00000002.1685924785.00000210F3F9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOOt&P
Source: AdobeCollabSync.exe, 00000005.00000002.1705700117.000001DADE1D9000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000002.1727780487.000001F125DAB000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000007.00000003.1727363942.000001F125DAA000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000008.00000002.1725757020.0000019AF4809000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 00000009.00000002.1746771609.0000020E64AA8000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000B.00000002.1766994449.000001DE917B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeCollabSync.exe, 00000001.00000002.2894222228.000001DEFA4CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: AdobeCollabSync.exe, 00000002.00000002.2895075237.0000022A35EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll88
Source: AdobeCollabSync.exe, 00000006.00000002.1704612512.0000020796A58000.00000004.00000020.00020000.00000000.sdmp, AdobeCollabSync.exe, 0000000C.00000002.1765549351.000002C110CC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{
Source: AdobeCollabSync.exe, 0000000A.00000002.1745308289.000002AA6B608000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;;

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1431108
Product:	CloudBasic
Start time:	15:38:19
Start date:	24.04.2024
Sample:	00. business card_Luca STRANIERO.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8729536ff1fc73f263c67050fa1e9aaa
SHA1:	4b2445ddfdae6a556102f466d8dc51711b0c0bb9
SHA256:	0be36f317fbd8ac2ab33fd81020ce6d768ea60f0fbd850b12efbe42f26f71e39
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Windows Analysis Report
00. business card_Luca STRANIERO.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\00. business card_Luca STRANIERO.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7788
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7960
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8068
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8176
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7372
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7352
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1732,i,15913500959655005552,13017635812736798014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7788	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe" GetChannelUri	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7960	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8068	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=8176	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7372	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe" -c --type=collab-renderer --proc=7352	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1732,i,15913500959655005552,13017635812736798014,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Windows Analysis Report 00. business card_Luca STRANIERO.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
00. business card_Luca STRANIERO.pdf