Edit tour

Windows Analysis Report
MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip

Overview

General Information

Sample name:	MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip
Analysis ID:	1545412
MD5:	b9fe5dd64557833ab6aa3e3cbfab4782
SHA1:	f0be7a5909244c3ee8c5df1d99809c27daed874d
SHA256:	de89081f9639e1dab76bab1741f77b79a956bff6e543e755500c0750f9255b2e
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6932 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

Acrobat.exe (PID: 6204 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

Acrobat.exe (PID: 2752 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

Acrobat.exe (PID: 3992 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 4020 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3532 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2164 --field-trial-handle=1560,i,5248332710442505347,10234146349127943590,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

Acrobat.exe (PID: 2292 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 31d95cbc-515a-44d1-93eb-3276eaf562b7.tmp.14.dr

String found in binary or memory: https://chrome.cloudflare-dns.com

Source: classification engine

Classification label: clean0.winZIP@22/19@0/0

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6388

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-30 09-30-36-674.log

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf"
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf"
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2164 --field-trial-handle=1560,i,5248332710442505347,10234146349127943590,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2164 --field-trial-handle=1560,i,5248332710442505347,10234146349127943590,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://chrome.cloudflare-dns.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com	31d95cbc-515a-44d1-93eb-3276eaf562b7.tmp.14.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545412
Start date and time:	2024-10-30 14:28:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip
Detection:	CLEAN
Classification:	clean0.winZIP@22/19@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.169145222454413
Encrypted:	false
SSDEEP:	6:64auWt+q2PRN2nKuAl9OmbnIFUt8v4QZmw+v4AVkwORN2nKuAl9OmbjLJ:6+HvaHAahFUt8vP/+vd5JHAaSJ
MD5:	CB1AE764340E39EC241A742E07FDCF88
SHA1:	5AD765B9C4AEFB03745E2842D74E25D41DA1BA89
SHA-256:	A2C398DF66F510BE021804AC3DC86DD8B389DF3E7DDDCA662B2451D5707F2F3A
SHA-512:	317FA9C11D858C7C85A6EB42F1D9CC8885CA05797F4803236827C2F21B92B751FCEE51B2D342CFE18B0437497C8D342944348DBA969B013ACFC7C05129EED217
Malicious:	false
Reputation:	low
Preview:	2024/10/30-09:30:37.428 1818 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/30-09:30:37.431 1818 Recovering log #3.2024/10/30-09:30:37.431 1818 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.169145222454413
Encrypted:	false
SSDEEP:	6:64auWt+q2PRN2nKuAl9OmbnIFUt8v4QZmw+v4AVkwORN2nKuAl9OmbjLJ:6+HvaHAahFUt8vP/+vd5JHAaSJ
MD5:	CB1AE764340E39EC241A742E07FDCF88
SHA1:	5AD765B9C4AEFB03745E2842D74E25D41DA1BA89
SHA-256:	A2C398DF66F510BE021804AC3DC86DD8B389DF3E7DDDCA662B2451D5707F2F3A
SHA-512:	317FA9C11D858C7C85A6EB42F1D9CC8885CA05797F4803236827C2F21B92B751FCEE51B2D342CFE18B0437497C8D342944348DBA969B013ACFC7C05129EED217
Malicious:	false
Reputation:	low
Preview:	2024/10/30-09:30:37.428 1818 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/30-09:30:37.431 1818 Recovering log #3.2024/10/30-09:30:37.431 1818 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.10232788959892
Encrypted:	false
SSDEEP:	6:64hGSVq2PRN2nKuAl9Ombzo2jMGIFUt8v4agZmw+v45Av3AIkwORN2nKuAl9OmbX:6MGOvaHAa8uFUt8v6/+vQc5JHAa8RJ
MD5:	DCE23E6FB17813C7605BD56E047C62B0
SHA1:	46175CBDEF2FB1234CA01DBF17DC60677213D8C9
SHA-256:	A4CF1CB3B95ECDB96F65E55E9B48CF1E6E2A7B9AA531B2714422835EE7AE5C89
SHA-512:	6079ECFE4C74213E5A71D54719D78E592FD3B9F8974CE8171D362A7C66777C210A3ABF994F685905692FF6227B878FD9DF56BD2E185A8D771154E8837F6F741A
Malicious:	false
Reputation:	low
Preview:	2024/10/30-09:30:37.328 2e0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/30-09:30:37.334 2e0 Recovering log #3.2024/10/30-09:30:37.335 2e0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.10232788959892
Encrypted:	false
SSDEEP:	6:64hGSVq2PRN2nKuAl9Ombzo2jMGIFUt8v4agZmw+v45Av3AIkwORN2nKuAl9OmbX:6MGOvaHAa8uFUt8v6/+vQc5JHAa8RJ
MD5:	DCE23E6FB17813C7605BD56E047C62B0
SHA1:	46175CBDEF2FB1234CA01DBF17DC60677213D8C9
SHA-256:	A4CF1CB3B95ECDB96F65E55E9B48CF1E6E2A7B9AA531B2714422835EE7AE5C89
SHA-512:	6079ECFE4C74213E5A71D54719D78E592FD3B9F8974CE8171D362A7C66777C210A3ABF994F685905692FF6227B878FD9DF56BD2E185A8D771154E8837F6F741A
Malicious:	false
Reputation:	low
Preview:	2024/10/30-09:30:37.328 2e0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/30-09:30:37.334 2e0 Recovering log #3.2024/10/30-09:30:37.335 2e0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\31d95cbc-515a-44d1-93eb-3276eaf562b7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	253
Entropy (8bit):	4.931682077316122
Encrypted:	false
SSDEEP:	6:YHpoueH2a9a1o3/QBR7Y53h6ubU74MS7PMVKJTnMRKXk1Yn:YH/u2caq3QYiubrP7E4TX
MD5:	13D631550B4C3B7AEA8FEECC637DA63F
SHA1:	500A24C412713ECFF2D755B7771603349CEB35FB
SHA-256:	18E4BA82B8C4D6FC312D5F960160169F03709BEDFBCF8E7619729DEFE6B5B17B
SHA-512:	0E311AF1AE9BE5C904CA0A218E39F6B13F7E428067FCC603C882B1258AAFBB642BA140F1EC2561063F4DA2D6D54BB40C2678BE888971405EF1A3185AD72A749A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	253
Entropy (8bit):	4.931682077316122
Encrypted:	false
SSDEEP:	6:YHpoueH2a9a1o3/QBR7Y53h6ubU74MS7PMVKJTnMRKXk1Yn:YH/u2caq3QYiubrP7E4TX
MD5:	13D631550B4C3B7AEA8FEECC637DA63F
SHA1:	500A24C412713ECFF2D755B7771603349CEB35FB
SHA-256:	18E4BA82B8C4D6FC312D5F960160169F03709BEDFBCF8E7619729DEFE6B5B17B
SHA-512:	0E311AF1AE9BE5C904CA0A218E39F6B13F7E428067FCC603C882B1258AAFBB642BA140F1EC2561063F4DA2D6D54BB40C2678BE888971405EF1A3185AD72A749A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.16","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4509
Entropy (8bit):	5.229526465288725
Encrypted:	false
SSDEEP:	96:OLSw0bSwIAnrRqLX2rSq1OUxu/0OZ0xRBTxekN8xeGS4usBXZ:OLT0bTIeYa51Ogu/0OZARBT8kN88GS4T
MD5:	CCB125AD3107EE716FCB080B899EA4F6
SHA1:	02E29C07F797165B5836DC628532609B82C1B683
SHA-256:	7CE049E3C4AE338A715391D8CCBC1CE25E4F3136EE4890E9160F03BCED4F503F
SHA-512:	9FA13C7E4D6C5EC6F5D510FA04E9FEC2E2355B6FFE993A47EEDF7965B7AFCC8756F2E5703836BBB30D0BD6DEFAECDDA75C14E46A028CF4F1F058F4160C9C7968
Malicious:	false
Preview:	*...#................version.1..namespace-e...o................next-map-id.1.Pnamespace-1d95df23_a38f_44a8_b732_4e62dd896a16-https://rna-resource.acrobat.com/.0y.S_r................next-map-id.2.Snamespace-2a884c18_b39c_4e3d_942f_252e530ca4bd-https://rna-v2-resource.acrobat.com/.16.X:r................next-map-id.3.Snamespace-2e78bfda_7188_4688_a4aa_1ff81b6e5eaa-https://rna-v2-resource.acrobat.com/.2.P.@o................next-map-id.4.Pnamespace-09c119c2_97bc_4467_8f67_f92472c9e5dc-https://rna-resource.acrobat.com/.346.+^...............Pnamespace-1d95df23_a38f_44a8_b732_4e62dd896a16-https://rna-resource.acrobat.com/....^...............Pnamespace-09c119c2_97bc_4467_8f67_f92472c9e5dc-https://rna-resource.acrobat.com/..?&a...............Snamespace-2a884c18_b39c_4e3d_942f_252e530ca4bd-https://rna-v2-resource.acrobat.com/_...a...............Snamespace-2e78bfda_7188_4688_a4aa_1ff81b6e5eaa-https://rna-v2-resource.acrobat.com/...o................next-map-id.5.Pnamespace-07af9ee9_2076_4f12_94b5_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.139656986309855
Encrypted:	false
SSDEEP:	6:64/3AVq2PRN2nKuAl9OmbzNMxIFUt8v4SgZmw+v4mFyAIkwORN2nKuAl9OmbzNMT:6UIvaHAa8jFUt8ve/+vJyD5JHAa84J
MD5:	DD7E91BD95155EB2120FCEFB3277EEE3
SHA1:	E28D65A1435C3925A5E845078597EACBB556DF2B
SHA-256:	1D4BA8736A22383CEC6EAFB4A09BB42E4BEE309D0A5E622A695957BF334CF9F1
SHA-512:	DDE465FFCD425A0A7BB58F52ECD571A42325CB83C2BDABA67D5C159675650C863D7918D56CC04D1A984AE72DC12577384F8CE8B25E0DD9DBA2069DB70C4F6B8F
Malicious:	false
Preview:	2024/10/30-09:30:37.457 2e0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/30-09:30:37.459 2e0 Recovering log #3.2024/10/30-09:30:37.460 2e0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.139656986309855
Encrypted:	false
SSDEEP:	6:64/3AVq2PRN2nKuAl9OmbzNMxIFUt8v4SgZmw+v4mFyAIkwORN2nKuAl9OmbzNMT:6UIvaHAa8jFUt8ve/+vJyD5JHAa84J
MD5:	DD7E91BD95155EB2120FCEFB3277EEE3
SHA1:	E28D65A1435C3925A5E845078597EACBB556DF2B
SHA-256:	1D4BA8736A22383CEC6EAFB4A09BB42E4BEE309D0A5E622A695957BF334CF9F1
SHA-512:	DDE465FFCD425A0A7BB58F52ECD571A42325CB83C2BDABA67D5C159675650C863D7918D56CC04D1A984AE72DC12577384F8CE8B25E0DD9DBA2069DB70C4F6B8F
Malicious:	false
Preview:	2024/10/30-09:30:37.457 2e0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/30-09:30:37.459 2e0 Recovering log #3.2024/10/30-09:30:37.460 2e0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6388

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	185099
Entropy (8bit):	5.182478651346149
Encrypted:	false
SSDEEP:	1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
MD5:	94185C5850C26B3C6FC24ABC385CDA58
SHA1:	42F042285037B0C35BC4226D387F88C770AB5CAA
SHA-256:	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
SHA-512:	652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	227002
Entropy (8bit):	3.392780893644728
Encrypted:	false
SSDEEP:	1536:gpKPliyzDtrh1cK3XEi3D7VX/3AYvYwgDbrioWiRn:OKP7t/3AYvYwg3OoWiRn
MD5:	1B4A6B2872F11257B284EB5163763DC3
SHA1:	8912645C0CA7C449BACD6EAE517D69CF920CC370
SHA-256:	7AAE5941ACEB26A15BF88B0B028E96B72185AD326821789725183B5D59921D24
SHA-512:	CE4CD01A92F54CAD98C6DA6BD15749D997033CDFF0B629A8EEBDAE71B4BBA44316CBE638EB837540F5DFF6098A94C718696C05BC40FB718162392DAD1254AF4D
Malicious:	false
Preview:	Adobe Acrobat Reader (64-bit) 23.6.20320....?A12_AV2_Search_18px.............................................................................................................KKK KKK.KKK.KKK.KKK.KKK.KKK@........................................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.............................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.........................KKK.KKK.KKK.KKK0....................KKK.KKK.KKK.KKK`....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK.KKK.....................................KKK.KKK.....................KKK.KKK.KKK0................................KKK.KKK.....................KKK`KKK.KKK.............................KKK@KKK.KKK.....................KKK.KKK.KKK.KKK@....................KKK.KKK.KKK.KKK`........................KKKPKKK.KKK.KKK.KKK.........KKKPKKK.KKK.KKK.KKK.............................KKK`KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK.KKK

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1969
Entropy (8bit):	5.059899173346649
Encrypted:	false
SSDEEP:	48:YOAiESbjWbj2CjxjZ4oijxi+0jPjrVbjBgajF:XXWP2ERaTx3y7BPBgMF
MD5:	0A4E7C0CD16C438CB87B9079E80142A4
SHA1:	8C89C16E412F45055044D24AAC6430577A6AF377
SHA-256:	45A8235893765617C7C472F4B332682B35D9284149B116A15D2B88E3C7579FEB
SHA-512:	86D6EF8C34E65733666BB93529807BB453CD94B9AAC50482CC48CF02FDD4820A9A49AAB3C35A576530635E46A6443A3843000C8466C9213DDAEB050A0E022BF4
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1730295037000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"f44756c6e08822e64c0e471a2499e34d","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696585148000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"e8f53b6740aba22a83a1a569cebedbcc","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696585148000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"ab062dea95f25ef019cc2f5f5f0121d4","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696583346000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"65580efad4bc88b91040ff50d71bfae9","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1255,"ts":1696583346000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"f8ce16c8d78d640728012d308f601433","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1230,"ts":1696583346000},{"id":"DC_Reader_RHP_Banner","info":{"dg":

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.9877498827067648
Encrypted:	false
SSDEEP:	24:TLHRx/XYKQvGJF7urs67Y9QmQ6QeIk+YIcLESiAieQk+YF:TVl2GL7ms67YXtrXycI8rL
MD5:	5553CEC3E2B353FF8B5F2617900FE3EA
SHA1:	5B7CA9FA441E5AC9A9A4A672FD6C8FAFF03B178C
SHA-256:	DE292A36F8C03F84FE9FF04A540441779C476AE20DB72D82FF6655A7C0AA943E
SHA-512:	8C9264DB6F2300C10064B7047F4DB3A3D34E39D938D84C8C404CD5349E12C45D229C2766B81EA29C8C2D68CFA8CF5FA5903AC2CC33BD7063689730444D1327E5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.34244395915766
Encrypted:	false
SSDEEP:	24:7+tQASY9QmQ6QeIk+Y7cLESiAi0mY9Q1qLBx/XYKQvGJF7ursP:7MQlYXtrXdcI8KYMqll2GL7msP
MD5:	CD5AF3F06B28F7A864CB582C31710968
SHA1:	C4AAC8F4BD96F5E2D5DE3BF0F5AE4EBF5E41DB1F
SHA-256:	17BB2E26E5EC5ABE7458CB962999031FB736A120E4F4699C83A7A0F1D019268F
SHA-512:	1082D302A4B384A79DCB6AEBFE6544CF5A410CF82326B80A5A455B63676E9650D5F1E55EC87DF714933458FEAA0333B44CDB95E222FB85FC7C3D7FD59715694F
Malicious:	false
Preview:	.... .c.....s.2C......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-30 09-30-36-674.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.353642815103214
Encrypted:	false
SSDEEP:	384:tbxtsuP+XEWJJQbnR8L31M7HeltV+KYm3wsa2KjF4ODkr/O8r2IUHUHMWwEyZRN2:aPL
MD5:	91F06491552FC977E9E8AF47786EE7C1
SHA1:	8FEB27904897FFCC2BE1A985D479D7F75F11CEFC
SHA-256:	06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
SHA-512:	A63E6E0D25B88EBB6602885AB8E91167D37267B24516A11F7492F48876D3DDCAE44FFC386E146F3CF6EB4FA6AF251602143F254687B17FCFE6F00783095C5082
Malicious:	false
Preview:	SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:072+0200 ThreadID=6404 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=ec4bacf2-5410-40d4-850b-5ac338f864f3.1696585143072 Timestamp=2023-10-06T11:39:03:073+0200 ThreadID=6404 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	16603
Entropy (8bit):	5.300851300165855
Encrypted:	false
SSDEEP:	384:BlIfAKN3u1YuA1kWw+lgRb0dRi7Dd/jR65ua845ENmA4GsOdloFXojoVE97Na/f/:QL5L
MD5:	4E39DCDA5BDCA6CC159676A6D505EA73
SHA1:	AC1F7B2917E0171BC37E45EDE57DD9612A6695FC
SHA-256:	8324979CFDFA42F4B07B251A93D467FE89EFE249033AF7381B386E922BF5E872
SHA-512:	66730875A99F28759ECC61EFB5EDBBD45C612F335418FD8459A7876B9ABFD6EB3C706D14FD5760CA5F76D342D0959D96813490A36C206ACC4310DB630665B769
Malicious:	false
Preview:	SessionID=b3db7005-63ab-4341-b65a-e0827bdab3b0.1730295036732 Timestamp=2024-10-30T09:30:36:732-0400 ThreadID=3364 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b3db7005-63ab-4341-b65a-e0827bdab3b0.1730295036732 Timestamp=2024-10-30T09:30:36:733-0400 ThreadID=3364 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b3db7005-63ab-4341-b65a-e0827bdab3b0.1730295036732 Timestamp=2024-10-30T09:30:36:734-0400 ThreadID=3364 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b3db7005-63ab-4341-b65a-e0827bdab3b0.1730295036732 Timestamp=2024-10-30T09:30:36:734-0400 ThreadID=3364 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b3db7005-63ab-4341-b65a-e0827bdab3b0.1730295036732 Timestamp=2024-10-30T09:30:36:734-0400 ThreadID=3364 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29845
Entropy (8bit):	5.418424485907533
Encrypted:	false
SSDEEP:	192:0cbgIhPcbocbAIlncb2cbwI/RcbNcbQIVvcbgcbWjI17cbL:fhWlA/TVd01w
MD5:	7175971369DF044A99104F396D0D0952
SHA1:	D26DFCAB07FD2AED54B5261A4AD61CF046586CEC
SHA-256:	A31EA6A60980554ED971982D76D3B3CBCA67352F2C87F72FB2DD9E3BB32C7C89
SHA-512:	0786496535596B819EB746888606989949B136A29CE0C3C7E9C407A8965ABD73C6797E29D5BBE6A346E27C76A392E1AB919794356C20A612D0386B143D359D7C
Malicious:	false
Preview:	06-10-2023 10:08:42:.---2---..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : *************************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : ***********************************..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Starting NGL..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..06-10-2023 10:08:42:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..06-10-2023 10:08:42:.Closing File..06-10-

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	5.769747580394806
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip
File size:	299 bytes
MD5:	b9fe5dd64557833ab6aa3e3cbfab4782
SHA1:	f0be7a5909244c3ee8c5df1d99809c27daed874d
SHA256:	de89081f9639e1dab76bab1741f77b79a956bff6e543e755500c0750f9255b2e
SHA512:	e579ec6f2196f72b4cf0d637e2d4fc9d363d6411aae6db1e37d81abb300e6de80c5010c5d2cb0770082ee3dadd29b6d8fb7e60c4be390f741b8210d8e947ba67
SSDEEP:	6:5jp4lTKifs720u0fJBZIuTtRdJqSi45LSU4lTx8ifougB+lz:5j2Bs207fr2undJL50BavBaz
TLSH:	BBE0C72811B1EBC8C4784A3C20C2F323E202CC2C412BA39F00C1AA42A8D21990C0225F
File Content Preview:	PK.........k^Y....k...\|.....$.cmd_php.pdf.. ..........G......G......G...*...wS....Y........tx2..\|..C.7......w^NC...UO...lp-.............^.......3..5tx..:.U.(.iw.Q...Tq...I!.E..Zre...PK..-........k^Y....k...\|.....$...............cmd_php.pdf.. ..........G

File Icon


Icon Hash:	1c1c1e4e4ececedc

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: rundll32.exePID: 6932, Parent PID: 804

General

Target ID:	0
Start time:	09:29:41
Start date:	30/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff699580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Acrobat.exePID: 6204, Parent PID: 4380

General

Target ID:	4
Start time:	09:29:58
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf"
Imagebase:	0x7ff79a4d0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Acrobat.exePID: 2752, Parent PID: 4380

General

Target ID:	10
Start time:	09:30:03
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip\cmd_php.pdf"
Imagebase:	0x7ff79a4d0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Acrobat.exePID: 3992, Parent PID: 4380

General

Target ID:	12
Start time:	09:30:33
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf"
Imagebase:	0x7ff79a4d0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: AcroCEF.exePID: 4020, Parent PID: 3992

General

Target ID:	13
Start time:	09:30:36
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff7224c0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: AcroCEF.exePID: 3532, Parent PID: 4020

General

Target ID:	14
Start time:	09:30:37
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2164 --field-trial-handle=1560,i,5248332710442505347,10234146349127943590,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff7224c0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: Acrobat.exePID: 2292, Parent PID: 4380

General

Target ID:	15
Start time:	09:30:50
Start date:	30/10/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625\cmd_php.pdf"
Imagebase:	0x7ff79a4d0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\31d95cbc-515a-44d1-93eb-3276eaf562b7.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6388

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-30 09-30-36-674.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: rundll32.exePID: 6932, Parent PID: 804

General

Chronological Activities

Windows Analysis Report
MDE_File_Sample_3270b1f9ca6c8448d72a9b1a35ac804f0cae6625.zip