Edit tour

Windows Analysis Report
Complete with Docusign andrew.pdf

Overview

General Information

Sample name:	Complete with Docusign andrew.pdf
Analysis ID:	1471934
MD5:	af9120c4670a2b5dfb8eb2a3e7e2412f
SHA1:	23a0f1f74119ebac185d5751b6df2a3689be17c4
SHA256:	7e46ee85d802fc13cfe213823d7d9c67e851e6c7ebbd1a30c728a95e65adb715
Infos:

Detection

Tycoon2FA

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found potential malicious PDF (bad image similarity)

Yara detected Tycoon 2FA PaaS

AI detected suspicious PDF

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

HTML body contains low number of good links

HTML body with high number of embedded images detected

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

PE file overlay found

Classification

Process Tree

System is w10x64

Acrobat.exe (PID: 6600 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Complete with Docusign andrew.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6608 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7328 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1624,i,8001297531770984248,9614786494000616629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8376 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8024 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_Tycoon2FA	Yara detected Tycoon 2FA PaaS	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com	SlashNext: Label: Credential Stealing type: Phishing & Social Engineering
Source: https://login.microsoftonline.de	Avira URL Cloud: Label: phishing

Phishing

Yara detected Tycoon 2FA PaaS

Source: Yara match

File source: 0.0.pages.csv, type: HTML

Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=17227b9e-4814-4d3c-987f-60ee98ff45aa&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%22A5F76AAE8A5B429BAFC3D3B8966675F8%22%7d

HTTP Parser: Number of links: 0

Source: https://www.bing.com/shop?FORM=Z9LHS4	HTTP Parser: Total embedded image size: 142954
Source: https://www.bing.com/news/search?q=Top+stories&nvaug=%5bNewsVertical+Category%3d%22rt_MaxClass%22%5d&FORM=Z9LH3	HTTP Parser: Total embedded image size: 114859
Source: https://www.bing.com/search?q=World+Population+Day&form=hpcapt&filters=HpDate:%2220240711_0700%22	HTTP Parser: Total embedded image size: 28696

Source: https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com

HTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js?...

HTTP Parser: Title: Redirecting does not match URL

Source: https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com	HTTP Parser: No favicon
Source: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=17227b9e-4814-4d3c-987f-60ee98ff45aa&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid%20email%20profile%209ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7/.default&response_mode=form_post&instance_aware=true&msafed=0&prompt=none&state=%7b%22ig%22%3a%22A5F76AAE8A5B429BAFC3D3B8966675F8%22%7d	HTTP Parser: No favicon
Source: https://www.bing.com/secure/Passport.aspx?popup=1&ssl=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/dARtcG5DFkY?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://www.youtube.com/embed/gh7321ItzLc?autoplay=1&enablejsapi=1&origin=https://www.bing.com&rel=0&mute=1	HTTP Parser: No favicon
Source: https://fpt.microsoft.com/tags?session_id=011749f2-d3d2-41fc-8c30-3f6c31173ef2	HTTP Parser: No favicon

HTTP Parser: No <meta name="author".. found

HTTP Parser: No <meta name="copyright".. found

Source:	Binary string: wextract.pdb source: Unconfirmed 631872.crdownload.4.dr, 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr, chromecache_1219.5.dr
Source:	Binary string: wextract.pdbGCTL source: Unconfirmed 631872.crdownload.4.dr, 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr, chromecache_1219.5.dr

Source: Joe Sandbox View	IP Address: 2.23.209.149 2.23.209.149
Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 20.114.189.70 20.114.189.70
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: chromecache_1122.5.dr	String found in binary or memory: role="listitem"><a class="b_recCard" data-process="{"type":"LocalSearchTask","requestState":{"query":"IPPUDO NY East village", "forceDisableMicroPoi": false, "entryPoint": "LocalGuide", "entityId": "YN618x401896293", "filterUrlParam": "local_ypid:\"YN618x401896293\""}}" data-instrumentation="{"logData":{"feature": "LG", "action": "C", "data": {"T": "D", "Q":"IPPUDO NY East village", "ID": "ypid:YN618x401896293"}}}" data-entity="{"geometryType":1,"geometry":{"x":-73.99024963378906,"y":40.730926513671875,"bounds":[40.730926513671875,-73.99024963378906,40.730926513671875,-73.99024963378906]},"entity":{"title":"IPPUDO NY East village","id":"ypid:YN618x401896293","address":"65 Fourth Avenue, New York, NY 10003","imageUrl":"https://www.bing.com/th?id=OLC.v7VbUDIv7jwlmA480x360\u0026pid=Local","primaryCategoryPath":"30000.30949","primaryCategoryName":"Restaurant","entryName":"Business","phone":"(212) 388-0088","website":"https://ippudony.com/location/","chainId":"2582271","infoboxHtml":"\u003ca class=\u0022infoBoxLink\u0022 role=\u0022button\u0022\u003e\u003cdiv class=\u0022bm_ib_imageContainer\u0022\u003e\u003cimg src=\u0022/th?id=OLC.v7VbUDIv7jwlmA480x360\u0026amp;w=80\u0026amp;h=80\u0026amp;c=7\u0026amp;rs=1\u0026amp;qlt=80\u0026amp;cdv=1\u0026amp;pid=Local\u0022 alt=\u0022IPPUDO NY East village\u0022 class=\u0022bm_ib_image\u0022/\u003e\u003c/div\u003e\u003cdiv class=\u0022bm_ib_container\u0022\u003e\u003cdiv class=\u0022bm_ib_title\u0022\u003e\u003cspan class=\u0022cnm\u0022\u003eIPPUDO NY East village\u003c/span\u003e\u003c/div\u003e\u003cdiv class=\u0022bm_ib_rate_and_price\u0022 style=\u0022display:block\u0022\u003e\u003cdiv class=\u0022bm_ib_ratings\u0022\u003e\u003cspan class=\u0022csrc sc_rc1\u0022 role=\u0022img\u0022 aria-label=\u0022Star Rating: 4.5 out of 5.\u0022\u003e\u003cspan class=\u0022sw_st\u0022\u003e\u003c/span\u003e\u003cspan class=\u0022sw_st\u0022\u003e\u003c/span\u003e\u003cspan class=\u0022sw_st\u0022\u003e\u003c/span\u003e\u003cspan class=\u0022sw_st\u0022\u003e\u003c/span\u003e\u003cspan class=\u0022sw_sth\u0022\u003e\u003c/span\u003e\u003c/span\u003e Facebook (4859) - \u003cspan title=\u0022Cheap\u0022 class=\u0022nowrap\u0022\u003e$$\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\u0022bm_ib_action_links\u0022 style=\u0022display:none\u0022\u003e\u003c/div\u003e\u003c/div\u003e\u003c/a\u003e"},"routablePoint":{"latitude":40.730926513671875,"longitu
Source: chromecache_2559.5.dr	String found in binary or memory: (function() { var sharingGlobalConfig ={"thumbnailUrlFormat":"https://www.bing.com/th?id={0}","defaultFormCode":"EX0023","facebookShareFormat":"https://www.facebook.com/dialog/feed?app_id={3}\u0026display=popup\u0026link={0}\u0026redirect_uri={1}\u0026ref={2}","facebookMessengerUrlFormat":"http://www.facebook.com/dialog/send?app_id={0}\u0026display=popup\u0026link={1}\u0026redirect_uri={2}","facebookFormCode":"EX0023","fbInitialHeight":576,"fbmInitialWidth":640,"facebookAppId":"3732605936979161","twitterApi":"https://twitter.com/intent/tweet?hashtags={0}\u0026text={1}\u0026url={2}","twitterFormCode":"EX0024","twitterInitialHeight":576,"twitterInitialWidth":720,"defaultInitialHeight":255,"whatsAppSchema":"whatsapp://send?text={0}","whatsAppStoreUrl":"","whatsAppFormCode":"EX0053","mailLauncherUrl":"mailto:?subject={0} \u0026body={1}","mailFormCode":"EX0025","smsProtocol":"","smsFormCode":"EX0052","loadingUrl":"/loading","useBlankLoadingPage":false,"closeRedirectUrl":"/share/fbre","pinterestUrlFormat":"https://pinterest.com/pin/create/button/?url={0}\u0026media={1}\u0026description={2}","pinterestFormCode":"EX0051","mybingFormCode":"shtomb","mybingRedirectUrl":"https://www.bing.com/myprofile?tid=id_chatmessagetab\u0026FORM=shtomb","skypeUrlFormat":"https://web.skype.com/share?url={0}\u0026source=button\u0026text={1}","skypeInitialHeight":665,"skypeInitialWidth":305,"outlookComLauncherUrl":"https://outlook.live.com/owa/?subject={0}\u0026body={1}\u0026path=/mail/action/compose","gmailLauncherUrl":"https://mail.google.com/mail/?view=cm\u0026fs=1\u0026tf=1\u0026su={0}\u0026body={1}","linkedInUrlFormat":"https://www.linkedin.com/shareArticle?mini=true\u0026url={0}\u0026title={1}\u0026summary={2}","linkedInFormCode":"EX0062","oneNoteUrlFormat":"https://www.onenote.com/clipper/save?attributionUrl={0}\u0026sourceUrl={1}\u0026imgUrl={1}\u0026title={2}\u0026description={3}","oneNoteInitialHeight":565,"oneNoteInitialWidth":550,"oneNoteFormCode":"EX0060","checkAppInstall":"","checkAppTimeout":200,"weiboShareFormat":"https://service.weibo.com/share/share.php?title={0}\u0026placeholder=Bing\u0026url={1}\u0026pic={2}","weiboFormCode":"SHDLWE","qzoneShareFormat":"https://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?title={0}\u0026summary={1}\u0026url={2}\u0026pics={3}","qzoneFormCode":"SHDLQZ","isCNEnglishSearch":false,"redditShareFormat":"https://www.reddit.com/submit?url={0}\u0026title={1}","redditFormCode":"EX0061","useLocationReplace":false,"getUrlFormCode":"EX0050","enableGetShareLinkFromServerForGetUrl":true,"isUnderside":false}; if(sj_evt) { sj_evt.fire("GlobalActionMenuV2Wrapper.InitSharingGlobalConfig", sharingGlobalConfig); } })();; equals www.facebook.com (Facebook)
Source: chromecache_2559.5.dr	String found in binary or memory: (function() { var sharingGlobalConfig ={"thumbnailUrlFormat":"https://www.bing.com/th?id={0}","defaultFormCode":"EX0023","facebookShareFormat":"https://www.facebook.com/dialog/feed?app_id={3}\u0026display=popup\u0026link={0}\u0026redirect_uri={1}\u0026ref={2}","facebookMessengerUrlFormat":"http://www.facebook.com/dialog/send?app_id={0}\u0026display=popup\u0026link={1}\u0026redirect_uri={2}","facebookFormCode":"EX0023","fbInitialHeight":576,"fbmInitialWidth":640,"facebookAppId":"3732605936979161","twitterApi":"https://twitter.com/intent/tweet?hashtags={0}\u0026text={1}\u0026url={2}","twitterFormCode":"EX0024","twitterInitialHeight":576,"twitterInitialWidth":720,"defaultInitialHeight":255,"whatsAppSchema":"whatsapp://send?text={0}","whatsAppStoreUrl":"","whatsAppFormCode":"EX0053","mailLauncherUrl":"mailto:?subject={0} \u0026body={1}","mailFormCode":"EX0025","smsProtocol":"","smsFormCode":"EX0052","loadingUrl":"/loading","useBlankLoadingPage":false,"closeRedirectUrl":"/share/fbre","pinterestUrlFormat":"https://pinterest.com/pin/create/button/?url={0}\u0026media={1}\u0026description={2}","pinterestFormCode":"EX0051","mybingFormCode":"shtomb","mybingRedirectUrl":"https://www.bing.com/myprofile?tid=id_chatmessagetab\u0026FORM=shtomb","skypeUrlFormat":"https://web.skype.com/share?url={0}\u0026source=button\u0026text={1}","skypeInitialHeight":665,"skypeInitialWidth":305,"outlookComLauncherUrl":"https://outlook.live.com/owa/?subject={0}\u0026body={1}\u0026path=/mail/action/compose","gmailLauncherUrl":"https://mail.google.com/mail/?view=cm\u0026fs=1\u0026tf=1\u0026su={0}\u0026body={1}","linkedInUrlFormat":"https://www.linkedin.com/shareArticle?mini=true\u0026url={0}\u0026title={1}\u0026summary={2}","linkedInFormCode":"EX0062","oneNoteUrlFormat":"https://www.onenote.com/clipper/save?attributionUrl={0}\u0026sourceUrl={1}\u0026imgUrl={1}\u0026title={2}\u0026description={3}","oneNoteInitialHeight":565,"oneNoteInitialWidth":550,"oneNoteFormCode":"EX0060","checkAppInstall":"","checkAppTimeout":200,"weiboShareFormat":"https://service.weibo.com/share/share.php?title={0}\u0026placeholder=Bing\u0026url={1}\u0026pic={2}","weiboFormCode":"SHDLWE","qzoneShareFormat":"https://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?title={0}\u0026summary={1}\u0026url={2}\u0026pics={3}","qzoneFormCode":"SHDLQZ","isCNEnglishSearch":false,"redditShareFormat":"https://www.reddit.com/submit?url={0}\u0026title={1}","redditFormCode":"EX0061","useLocationReplace":false,"getUrlFormCode":"EX0050","enableGetShareLinkFromServerForGetUrl":true,"isUnderside":false}; if(sj_evt) { sj_evt.fire("GlobalActionMenuV2Wrapper.InitSharingGlobalConfig", sharingGlobalConfig); } })();; equals www.linkedin.com (Linkedin)
Source: chromecache_2559.5.dr	String found in binary or memory: (function() { var sharingGlobalConfig ={"thumbnailUrlFormat":"https://www.bing.com/th?id={0}","defaultFormCode":"EX0023","facebookShareFormat":"https://www.facebook.com/dialog/feed?app_id={3}\u0026display=popup\u0026link={0}\u0026redirect_uri={1}\u0026ref={2}","facebookMessengerUrlFormat":"http://www.facebook.com/dialog/send?app_id={0}\u0026display=popup\u0026link={1}\u0026redirect_uri={2}","facebookFormCode":"EX0023","fbInitialHeight":576,"fbmInitialWidth":640,"facebookAppId":"3732605936979161","twitterApi":"https://twitter.com/intent/tweet?hashtags={0}\u0026text={1}\u0026url={2}","twitterFormCode":"EX0024","twitterInitialHeight":576,"twitterInitialWidth":720,"defaultInitialHeight":255,"whatsAppSchema":"whatsapp://send?text={0}","whatsAppStoreUrl":"","whatsAppFormCode":"EX0053","mailLauncherUrl":"mailto:?subject={0} \u0026body={1}","mailFormCode":"EX0025","smsProtocol":"","smsFormCode":"EX0052","loadingUrl":"/loading","useBlankLoadingPage":false,"closeRedirectUrl":"/share/fbre","pinterestUrlFormat":"https://pinterest.com/pin/create/button/?url={0}\u0026media={1}\u0026description={2}","pinterestFormCode":"EX0051","mybingFormCode":"shtomb","mybingRedirectUrl":"https://www.bing.com/myprofile?tid=id_chatmessagetab\u0026FORM=shtomb","skypeUrlFormat":"https://web.skype.com/share?url={0}\u0026source=button\u0026text={1}","skypeInitialHeight":665,"skypeInitialWidth":305,"outlookComLauncherUrl":"https://outlook.live.com/owa/?subject={0}\u0026body={1}\u0026path=/mail/action/compose","gmailLauncherUrl":"https://mail.google.com/mail/?view=cm\u0026fs=1\u0026tf=1\u0026su={0}\u0026body={1}","linkedInUrlFormat":"https://www.linkedin.com/shareArticle?mini=true\u0026url={0}\u0026title={1}\u0026summary={2}","linkedInFormCode":"EX0062","oneNoteUrlFormat":"https://www.onenote.com/clipper/save?attributionUrl={0}\u0026sourceUrl={1}\u0026imgUrl={1}\u0026title={2}\u0026description={3}","oneNoteInitialHeight":565,"oneNoteInitialWidth":550,"oneNoteFormCode":"EX0060","checkAppInstall":"","checkAppTimeout":200,"weiboShareFormat":"https://service.weibo.com/share/share.php?title={0}\u0026placeholder=Bing\u0026url={1}\u0026pic={2}","weiboFormCode":"SHDLWE","qzoneShareFormat":"https://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?title={0}\u0026summary={1}\u0026url={2}\u0026pics={3}","qzoneFormCode":"SHDLQZ","isCNEnglishSearch":false,"redditShareFormat":"https://www.reddit.com/submit?url={0}\u0026title={1}","redditFormCode":"EX0061","useLocationReplace":false,"getUrlFormCode":"EX0050","enableGetShareLinkFromServerForGetUrl":true,"isUnderside":false}; if(sj_evt) { sj_evt.fire("GlobalActionMenuV2Wrapper.InitSharingGlobalConfig", sharingGlobalConfig); } })();; equals www.twitter.com (Twitter)
Source: chromecache_1695.5.dr	String found in binary or memory: function Z(a,b){this.v={};this.playerInfo={};this.videoTitle="";this.l=this.g=this.h=null;this.i=0;this.s=!1;this.m=[];this.j=null;this.B={};if(!a)throw Error("YouTube player element ID required.");this.id=sa(this);b=Object.assign({title:"video player",videoId:"",width:640,height:360},b\|\|{});var c=document;if(a=typeof a==="string"?c.getElementById(a):a)if(Nb.yt_embedsEnableRsaforFromIframeApi&&zb(),c=a.tagName.toLowerCase()==="iframe",b.host\|\|(b.host=c?sb(a.src):"https://www.youtube.com"),this.h= equals www.youtube.com (Youtube)
Source: chromecache_1695.5.dr	String found in binary or memory: function zb(){var a=new xb,b=["https://www.youtube.com"];b=b===void 0?wb:b;qa(function(c){switch(c.g){case 1:return ka(c,yb(),2);case 2:if(!c.m){c.g=3;break}return ka(c,Promise.all(b.map(function(d){var e;return qa(function(k){if(k.g==1)return k.l=2,ka(k,navigator.permissions.query({name:"top-level-storage-access",requestedOrigin:d}),4);k.g!=2?(e=k.m,e.state==="prompt"&&a.g.push(d),k.g=0,k.l=0):(k.l=0,k.i=null,k.g=0)})})),4); equals www.youtube.com (Youtube)
Source: chromecache_2084.5.dr	String found in binary or memory: var scriptUrl = 'https:\/\/www.youtube.com\/s\/player\/8d9f6215\/www-widgetapi.vflset\/www-widgetapi.js';try{var ttPolicy=window.trustedTypes.createPolicy("youtube-widget-api",{createScriptURL:function(x){return x}});scriptUrl=ttPolicy.createScriptURL(scriptUrl)}catch(e){}var YT;if(!window["YT"])YT={loading:0,loaded:0};var YTConfig;if(!window["YTConfig"])YTConfig={"host":"https://www.youtube.com"}; equals www.youtube.com (Youtube)

Source: chromecache_2555.5.dr	String found in binary or memory: http://aka.ms/exporting.
Source: chromecache_1182.5.dr	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1LLAb
Source: chromecache_2008.5.dr	String found in binary or memory: http://ww.w3.org/1999/02/22-rdf-syntax-ns#
Source: chromecache_2569.5.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chromecache_2528.5.dr, chromecache_2429.5.dr	String found in binary or memory: http://www.contoso.com/specificpage.html)
Source: chromecache_1144.5.dr	String found in binary or memory: https://apnews.com/article/un-world-population-growth-e2adab27719bb94ea19626dc53c57384
Source: chromecache_1144.5.dr	String found in binary or memory: https://apnews.com/article/un-world-population...
Source: chromecache_1947.5.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/icons-wc/icons/MoreVertical.svg
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://community.docusign.com/signing-7)
Source: chromecache_1973.5.dr, chromecache_1639.5.dr, chromecache_2447.5.dr, chromecache_2581.5.dr, chromecache_1952.5.dr	String found in binary or memory: https://dev.virtualearth.net/Branding/logo_powered_by.png
Source: chromecache_1695.5.dr	String found in binary or memory: https://developers.google.com/youtube/iframe_api_reference#Events
Source: chromecache_1144.5.dr	String found in binary or memory: https://egypt.un.org/en/273747-secretary-general-message-world-population-day-11-july-2024
Source: chromecache_1144.5.dr	String found in binary or memory: https://egypt.un.org/en/273747-secretary-general-message-world-population-day-11-july-2024"
Source: chromecache_1144.5.dr	String found in binary or memory: https://egypt.un.org/en/273747-secretary-general...
Source: chromecache_2070.5.dr	String found in binary or memory: https://github.com/microsoft/clarity
Source: chromecache_1083.5.dr	String found in binary or memory: https://highlightjs.org/
Source: chromecache_1144.5.dr	String found in binary or memory: https://india.un.org/en/273554-world-population-day
Source: chromecache_2014.5.dr, chromecache_2450.5.dr	String found in binary or memory: https://login.chinacloudapi.cn
Source: chromecache_2014.5.dr, chromecache_2450.5.dr	String found in binary or memory: https://login.microsoftonline.com
Source: chromecache_2014.5.dr, chromecache_2450.5.dr	String found in binary or memory: https://login.microsoftonline.de
Source: chromecache_2014.5.dr, chromecache_2450.5.dr	String found in binary or memory: https://login.microsoftonline.us
Source: chromecache_2014.5.dr, chromecache_2450.5.dr	String found in binary or memory: https://login.windows-ppe.net
Source: chromecache_1144.5.dr	String found in binary or memory: https://nationaltoday.com/world-population-day/
Source: chromecache_1144.5.dr	String found in binary or memory: https://needassignmenthelp.com/blog/What-Is-World-Population-Day-And-Why-It-Is-Celebrated/
Source: chromecache_1144.5.dr	String found in binary or memory: https://observances.global/world-population-day/
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi138DQ5sHhGKT0Yhgt62kFT9wxcaHF-gBx7W
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://support.docusign.com/)
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://support.docusign.com/en/articles/How-do-I-manage-my-email-notifications)
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Guide)
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing?language=en_
Source: chromecache_1144.5.dr	String found in binary or memory: https://timesofindia.indiatimes.com/life-style/events/world-population-day-theme-historysignificance
Source: Complete with Docusign andrew.pdf	String found in binary or memory: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificat
Source: chromecache_1695.5.dr	String found in binary or memory: https://www.google.com
Source: chromecache_2452.5.dr, chromecache_1515.5.dr	String found in binary or memory: https://www.gstatic.com/cv/js/sender/v1/cast_sender.js
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/money/companies/pepsico-after-years-of-price-hikes-sounds-an-alarm-on-cons
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/money/markets/america-is-on-the-brink-of-an-unemployment-fiasco/ar-BB1pNd4
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/money/other/how-this-popular-iphone-feature-get-started-by-an-intern/ar-BB
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/crime/5-year-old-boy-dies-after-being-left-in-hot-car-for-7-hours-fos
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/crime/orlando-woman-caught-with-ammunition-in-turks-and-caicos-given-
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/politics/arkansas-election-officials-reject-petitions-submitted-for-a
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-calls-george-clooney-a-rat-for-turning-on-biden/ar-BB1
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/us/wildfire-risk-rises-as-western-states-dry-out-amid-ongoing-heat-wa
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/news/world/factbox-how-much-has-us-built-gaza-aid-pier-helped-get-aid-into
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/sports/other/us-appeals-court-ruling-leaves-open-possibility-of-college-at
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/sports/soccer/colombia-advances-to-copa-am%C3%A9rica-final-as-tempers-flar
Source: chromecache_1462.5.dr	String found in binary or memory: https://www.msn.com/en-us/tv/news/nick-wehry-accused-of-cheating-in-nathans-hot-dog-eating-contest-p
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.ndtv.com/health/world-population-day-2018-importance-and-why-we-celebrate-1880823
Source: chromecache_2022.5.dr	String found in binary or memory: https://www.suno.ai/legal/privacy
Source: chromecache_2022.5.dr	String found in binary or memory: https://www.suno.ai/legal/terms
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/en/global-issues/population
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/en/observances/world-population-day/background
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/en/observances/world-population-day/background"
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/sustainabledevelopment/blog/...
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/sustainabledevelopment/blog/2024/07/media-advisory-wpp2024/
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.un.org/sustainabledevelopment/blog/2024/07/media-advisory-wpp2024/"
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.unfpa.org/events/world-population-day
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.unfpa.org/events/world-population-day"
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.unfpa.org/events/world-population-day-2020
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.unfpa.org/events/world-population-day-2022
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.unfpa.org/events/world-population-day-2022"
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.worldometers.info/world-population/
Source: chromecache_1144.5.dr	String found in binary or memory: https://www.worldometers.info/world-population/population-by-country/
Source: chromecache_1695.5.dr, chromecache_2084.5.dr	String found in binary or memory: https://www.youtube.com

System Summary

Found potential malicious PDF (bad image similarity)

Source: Complete with Docusign andrew.pdf	Static PDF information: Image stream: 8
Source: Complete with Docusign andrew.pdf	Static PDF information: Image stream: 10

Source: Unconfirmed 631872.crdownload.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 16941842 bytes, 11 files, at 0x2c +A "BWInstaller.exe" +A "BWCInstaller.msi", ID 18760, number 1, 589 datablocks, 0x1503 compression
Source: chromecache_1219.5.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 16941842 bytes, 11 files, at 0x2c +A "BWInstaller.exe" +A "BWCInstaller.msi", ID 18760, number 1, 589 datablocks, 0x1503 compression

Source: 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr

Static PE information: No import functions for PE file found

Source: 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: mal68.phis.winPDF@53/1591@0/100

Source: Complete with Docusign andrew.pdf	Initial sample: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=gbl_xx_dbu_ups_2211_signnotificationemailfooter&utm_medium=product&utm_source=postsend
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/en/guides/declining-to-sign-docusign-signer-guide
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing?language=en_US&utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificationEmailFooter&utm_medium=product&utm_source=postsend
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/s/articles/how-do-i-sign-a-docusign-document-basic-signing?language=en_us&utm_campaign=gbl_xx_dbu_ups_2211_signnotificationemailfooter&utm_medium=product&utm_source=postsend
Source: Complete with Docusign andrew.pdf	Initial sample: https://protect.docusign.net/report-abuse?e=automjpfak9glbpl0zffi138dq5shhgkt0yhgt62kft9wxcahf-gbx7w3opyzdxsybrhrs7q26u_loyresp7ixqc5qvxnz6d0vj6mo4csmkygsykumythohlc_jqttmepaxjnozrwmze1ziqi-sbrfvaftxwekb343fwsi96wzln4bomgys-jyzqozqut6f1jml5pcdnyzig7v6waj9cvp1t42m5jj8qwdccebk9j3svxjnrfynqtktpk8yzqty9gxil1-wa-qw1obaenyrv2bhsl3vitgsnp9wkfe3ocaii4b45vj6lthjdr0ebzwqmgrezpowmiikgdgwdchhnxpdmdlqu2jzriyi0wxcpubnrfwoylhsjtav3lujsqsnawgdkm_yacrjygj71eyocq4nw-cyrkjp-wlisc12sb5szfzuyoaahumwymsbschk13cv71hqkwkp_pxinvizka1k&lang=en
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/en/articles/How-do-I-manage-my-email-notifications
Source: Complete with Docusign andrew.pdf	Initial sample: https://community.docusign.com/signing-7
Source: Complete with Docusign andrew.pdf	Initial sample: https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_DBU_UPS_2211_SignNotificationEmailFooter&utm_medium=product&utm_source=postsend
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Guide
Source: Complete with Docusign andrew.pdf	Initial sample: https://support.docusign.com/en/articles/how-do-i-manage-my-email-notifications
Source: Complete with Docusign andrew.pdf	Initial sample: https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi138DQ5sHhGKT0Yhgt62kFT9wxcaHF-gBx7W3OPyzdxSybRhrS7Q26U_lOYrEsp7iXQC5QVxNz6D0Vj6Mo4csmKYgsYkUMytHohLC_JqTtmepAxJnozrWmZE1ZiQi-SBrfvaFtXweKB343FwSi96wzLN4boMgYs-JYZQOZQut6F1JMl5PcDNYzIG7V6wAJ9cVp1t42m5JJ8QwdcCEbK9J3SvxjNrFyNqTkTpk8YZqTY9gXil1-wA-QW1oBaeNyRV2bhSl3vItGSNp9WKFe3OcAIi4B45VJ6LThjdR0eBzWqMGREZpOWMIIKGdgWDCHHnxpdMDlqu2JzrIyi0wXcpUBnRfWoYLhsJTav3lujsqsnAWGDKM_yAcrjYGj71EyOCq4nW-cyRkJp-WLIsC12Sb5szFZUyoAAhUmwymsBschK13cV71hQKwKp_pXiNVizKa1k&lang=en

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-07-11 19-47-44-198.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Complete with Docusign andrew.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1624,i,8001297531770984248,9614786494000616629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8024 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1624,i,8001297531770984248,9614786494000616629,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8024 --field-trial-handle=1980,i,9201215676763371484,13328995431598619823,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wextract.pdb source: Unconfirmed 631872.crdownload.4.dr, 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr, chromecache_1219.5.dr
Source:	Binary string: wextract.pdbGCTL source: Unconfirmed 631872.crdownload.4.dr, 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr, chromecache_1219.5.dr

Source: Complete with Docusign andrew.pdf	Initial sample: PDF keyword /JS count = 0
Source: Complete with Docusign andrew.pdf	Initial sample: PDF keyword /JavaScript count = 0
Source: A9lwauvu_1ehfkq1_2vc.tmp.0.dr	Initial sample: PDF keyword /JS count = 0
Source: A9lwauvu_1ehfkq1_2vc.tmp.0.dr	Initial sample: PDF keyword /JavaScript count = 0

Source: Complete with Docusign andrew.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: Complete with Docusign andrew.pdf

Initial sample: PDF keyword obj count = 50

Source: 7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp.4.dr

Static PE information: real checksum: 0x105307a should be: 0xd31f

Persistence and Installation Behavior

AI detected suspicious PDF

Source: PDF shot

LLM: Score: 8 Reasons: The PDF document contains a visually prominent QR code with a button labeled 'SCAN BARCODE TO REVIEW DOCUMENT,' which could mislead the user into scanning it. The text 'You have a new document to review and sign' creates a sense of urgency, prompting immediate action. The document impersonates the well-known brand 'DocuSign,' which is commonly used for secure document signing. The combination of urgency and brand impersonation significantly increases the risk of phishing or malware.

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 1219	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\7eddb3d8-5d52-4c8b-ad68-9e06991520e6.tmp	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\BingWallpaper.exe (copy)	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 631872.crdownload	Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 1219
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 1219			Jump to dropped file

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	11 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Complete with Docusign andrew.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Complete with Docusign andrew.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Complete with Docusign andrew.pdf