32671411.pdf
This report is generated from a file or URL submitted to this webservice on February 4th 2018 05:46:27 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"RdrCEF.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 52 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 4 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 84 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 54 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 12 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 16 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 164 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 88 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 156 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 8 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1280)
"RdrCEF.exe" wrote 32 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396)
"RdrCEF.exe" wrote 52 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396)
"RdrCEF.exe" wrote 4 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396)
"RdrCEF.exe" wrote 84 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396)
"RdrCEF.exe" wrote 54 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396)
"RdrCEF.exe" wrote 12 bytes to a remote process "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" (Handle: 1396) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 2
-
Installation/Persistance
-
Creates new processes
- details
-
"AcroRd32.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 572)
"RdrCEF.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 1280)
"RdrCEF.exe" is creating a new process (Name: "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe", Handle: 1396) - source
- API Call
- relevance
- 8/10
-
Creates new processes
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"AcroRd32.exe" wrote bytes "75dc8e75273e8e7551c18c75ee9c8c7594988c750fb3927510998c7590978c750000000042c68275152e8275c0d982751bf78275c1088475e0c2827536da827530c68275d5d9827586c4827500000000" to virtual address "0x70D5E000" (part of module "MSLS31.DLL")
"AcroRd32.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0827500000000c5ea82750000000088ea827500000000e968347582283277ee29327700000000d2693475000000007dbb82750000000009be347500000000ba18827500000000" to virtual address "0x75621000" (part of module "NSI.DLL")
"AcroRd32.exe" wrote bytes "fae62d77e1a632772e713277ee29327785e22d776da0327726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74691000" (part of module "WSHTCPIP.DLL")
"AcroRd32.exe" wrote bytes "d5d9827530c68275e0c2827542c6827510c68275acdc8275a0df827536da827587f18275000000009177bc75c090bc757f6fbc751ffabc75def4bc75f282bc75857dbc7500000000" to virtual address "0x6C2D1000" (part of module "MSIMG32.DLL")
"AcroRd32.exe" wrote bytes "e7392e77e1a632772e713277ee29327785e22d776da03277906431773ad5387726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74B91000" (part of module "WSHIP6.DLL")
"RdrCEF.exe" wrote bytes "d9e27b64" to virtual address "0x61E1A364" (part of module "DWRITE.DLL")
"RdrCEF.exe" wrote bytes "9ae47b64" to virtual address "0x61E1A374" (part of module "DWRITE.DLL")
"RdrCEF.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0827500000000c5ea82750000000088ea827500000000e968347582283277ee29327700000000d2693475000000007dbb82750000000009be347500000000ba18827500000000" to virtual address "0x75621000" (part of module "NSI.DLL")
"RdrCEF.exe" wrote bytes "63de7b64" to virtual address "0x61E1A360" (part of module "DWRITE.DLL")
"RdrCEF.exe" wrote bytes "d1e27b64" to virtual address "0x61E1A610" (part of module "DWRITE.DLL")
"RdrCEF.exe" wrote bytes "1000808b" to virtual address "0x75895C3C" (part of module "KERNEL32.DLL")
"RdrCEF.exe" wrote bytes "e9e27b64" to virtual address "0x61E1A35C" (part of module "DWRITE.DLL")
"RdrCEF.exe" wrote bytes "5faf7b64" to virtual address "0x6573037C" (part of module "LIBCEF.DLL")
"RdrCEF.exe" wrote bytes "1000908a" to virtual address "0x75895C3C" (part of module "KERNEL32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
-
Informative 11
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 1, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contains object with compressed stream data
- details
- Object ID 5 contains compressed stream data: No filters
- source
- Static Parser
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"Local\Acrobat Instance Mutex"
"\Sessions\1\BaseNamedObjects\com.adobe.acrobat.rna.RdrCefBrowserLock.DC"
"com.adobe.acrobat.rna.RdrCefBrowserLock.DC" - source
- Created Mutant
- relevance
- 3/10
-
PDF contains only a single page
- details
- Tag "pages" has a value of "1"
- source
- Static Parser
- relevance
- 5/10
-
Process launched with changed environment
- details
- Process "RdrCEF.exe" (Show Process) was launched with modified environment variables: "Path"
- source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R18"
"AcroRd32.exe" searching for class "JFWUI2"
"AcroRd32.exe" searching for class "AdobeAcrobat"
"AcroRd32.exe" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "RdrCEF.exe" with commandline "--backgroundcolor=16448250" (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=DCAA0A308B4272D6DB983118FBB2B487 --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.9.20044 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=DCAA0A308B4272D6DB983118FBB2B487 --renderer-client-id=2 --mojo-platform-channel-handle=1252 --allow-no-sandbox-job /prefetch:1" (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=4DA8B4086C945F8793FB017E136ECC7A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.9.20044 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=4DA8B4086C945F8793FB017E136ECC7A --renderer-client-id=3 --mojo-platform-channel-handle=1388 --allow-no-sandbox-job /prefetch:1" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains object with compressed stream data
-
Installation/Persistance
-
Dropped files
- details
-
"A9Re4sm0r_13owq6y_2po.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"AdobeFnt16.lst.3516" has type "PostScript document text"
"Visited Links" has type "data"
"A9Rpg0wi2_13owq70_2po.tmp" has type "PDF document version 1.6"
"0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" has type "data"
"A9Rg700ki_13owq6u_2po.tmp" has type "data"
"A9Rgbkgu6_13owq6x_2po.tmp" has type "data"
"A9Rm9wdq2_13owq6w_2po.tmp" has type "data"
"CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Touches files in the Windows directory
- details
-
"RdrCEF.exe" touched file "%WINDIR%\System32\oleaccrc.dll"
"RdrCEF.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"RdrCEF.exe" touched file "%WINDIR%\System32\KBDUS.DLL"
"RdrCEF.exe" touched file "%WINDIR%\System32\drivers\etc\hosts"
"RdrCEF.exe" touched file "%WINDIR%\System32\spool\drivers\color\sRGB Color Space Profile.icm"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arial.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALN.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariali.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbd.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNB.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\arialbi.ttf"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ARIALNBI.TTF"
"RdrCEF.exe" touched file "%WINDIR%\Fonts\ariblk.ttf" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://dmd.metaservices.microsoft.com/dms/metadata.svc"
Pattern match: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?37356dfcdc83f148 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?43ca3bdf979afaee HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
32671411.pdf
- Filename
- 32671411.pdf
- Size
- 214KiB (218857 bytes)
- Type
- Description
- PDF document, version 1.4
- Document pages
- 1
- Architecture
- WINDOWS
- SHA256
- 64bcd65727140f7e514a7a6cca21075cea03f9dad9439bc0ca3dda0a6da8d3c7
- MD5
- eb0f60e0c6893714635ed740c3706d43
- SHA1
- d8e9579428c2946152cbb7219e577f660182d7b0
Classification (TrID)
- 100.0% (.PDF) Adobe Portable Document Format
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
AcroRd32.exe
"C:\64bcd65727140f7e514a7a6cca21075cea03f9dad9439bc0ca3dda0a6da8d3c7.pdf"
(PID: 3516)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 3496)
- RdrCEF.exe --type=renderer --primordial-pipe-token=DCAA0A308B4272D6DB983118FBB2B487 --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.9.20044 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=DCAA0A308B4272D6DB983118FBB2B487 --renderer-client-id=2 --mojo-platform-channel-handle=1252 --allow-no-sandbox-job /prefetch:1 (PID: 3948)
- RdrCEF.exe --type=renderer --primordial-pipe-token=4DA8B4086C945F8793FB017E136ECC7A --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/18.9.20044 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=4DA8B4086C945F8793FB017E136ECC7A --renderer-client-id=3 --mojo-platform-channel-handle=1388 --allow-no-sandbox-job /prefetch:1 (PID: 3412)
-
RdrCEF.exe
--backgroundcolor=16448250
(PID: 3496)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 52.138.148.89:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.138.148.89:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.138.148.89:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 52.138.148.89:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
Extracted Strings
Extracted Files
-
Informative 9
-
-
Visited Links
- Size
- 128KiB (131072 bytes)
- Type
- data
- Runtime Process
- RdrCEF.exe (PID: 3496)
- MD5
- e5f299c3100e113c9343e86ed9504a2d
- SHA1
- 7865b3759d1cba84cc165aceb3ceee856f31f6e2
- SHA256
- 9d1c9dc432b2e97f7a54b4da2724e4ff96dc719e60cb89c9f82dbec9226856c3
-
AdobeFnt16.lst.3516
- Size
- 239KiB (244904 bytes)
- Type
- text
- Description
- PostScript document text
- Runtime Process
- AcroRd32.exe (PID: 3516)
- MD5
- 0d904df9fe8c2444569286ee37de36f8
- SHA1
- 192974b3c8ea22554302f3fa3f5b3a5719e10c1d
- SHA256
- 2863d531042cb5dfd1261ee75f7d5dd25ac479715b06866f1bd93e63acd78771
-
A9Re4sm0r_13owq6y_2po.tmp
- Size
- 9.4KiB (9667 bytes)
- Type
- java compressed jar
- Description
- Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
- Runtime Process
- AcroRd32.exe (PID: 3516)
- MD5
- de2c1df078f21bcbff9e2a743e5f6cda
- SHA1
- f93e657ef1640625a3c73aa8b7bbadd7d1c56a44
- SHA256
- e6778540f3c71c0d8c16b33057969e62fbe0f5ca29cf17585286ebd5dbcea6f3
-
A9Rg700ki_13owq6u_2po.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3516)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9Rgbkgu6_13owq6x_2po.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3516)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9Rm9wdq2_13owq6w_2po.tmp
- Size
- 2B (2 bytes)
- Type
- data
- Runtime Process
- AcroRd32.exe (PID: 3516)
- MD5
- c4103f122d27677c9db144cae1394a66
- SHA1
- 1489f923c4dca729178b3e3233458550d8dddf29
- SHA256
- 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7
-
A9Rpg0wi2_13owq70_2po.tmp
- Size
- 249KiB (255067 bytes)
- Type
- Description
- PDF document, version 1.6
- MD5
- 705ba60770707a6ac0493960832f4360
- SHA1
- 8b34528d696649eb30ad59a9863ce6df6789ae2a
- SHA256
- 355ec8e2337af0e7e00576f42ed047057c98059095d3740df7f0843c4f09007d
-
0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
- Size
- 637B (637 bytes)
- Type
- data
- MD5
- 98e5c0cd257c9fb8f2f315231964607d
- SHA1
- a4b3da16d085f5a9277400c8f7c5fd8fe228a863
- SHA256
- ccb6bc1460ac9f418e6aaf8ba4a3f679739355f7fb773fa160fb505ee512662c
-
CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl
- Size
- 425B (425 bytes)
- Type
- data
- MD5
- b3e7829a9b1a6840e5eba994d633a8d6
- SHA1
- 77bf14e4b1b1bb2d361c134e2670fdf477b89eea
- SHA256
- 222e2278413279ab18b7dbf6a38019341f84a41083d7f3f7dab99f61466a40ca
-
Notifications
-
Runtime
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-21" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)