Windows Analysis Report
virus.pdf

ID:	1641117
Product:	CloudBasic
Start time:	02:17:14
Start date:	18.03.2025
Sample:	virus.pdf
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	21fc9a2a54d0f2d6d678fc7d18b59822
SHA1:	de0059b6c1d8f219e6a865cf93dfde46372162fd
SHA256:	558ec0ecee68675ee63a5b1efc37724f76b4653e831510e1fd3fa4c598c92a4b
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	EC581CEBB43FC2CDC8BFBE96ABACE271	014F850ED0411456B001DB61BF799BC394686B67	1AE5668901F8379F9CF6A67C2474386467D13E44CEDAB59B2338E64D85BF7B8B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	A0CFED5DA89300A571006C9D91765F3D	3BDAC38AEF7101A47EC2446E9D74C742A2C8BD25	7DA27F812BE20B25789F86C5E60B807B127469C58809AB4A876558CD455F81E9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\4247a010-d08c-49fb-b524-d28c290a6313.tmp	JSON data	CFADACBD435AB68679A273F8E9251681	4E118F3120DF0D7AC72095D8BAE109E0A70511B6	FC745DB9D247A221D7ADB00EB6E700F46AAD5420A026C8A4FC08FD3BB600A319
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\81babc9d-fdbe-4570-befb-f7e9d5098d78.tmp	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF4944c6.TMP (copy)	JSON data	4C313FE514B5F4E7E89329630909F8DC	916EED77EC8C9DC90C64FF1E5CC9D04D4674EE56	1EE7C151EF264F91FCDCCB6644F62DC33E27A4E829DAAB748DA1DE4426400873
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	59908309E232EA586A2DC105B95F66D8	4E1F83B88506BC415A774D2489E554401A509D75	15D66903DEB0FE59CDEA5127329C5FA03D846D1F8D443BB8A5C1E7C325D6AECF
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	18B22DA05E5B9112AE691FF9A0FCC8C5	F6AC258120986E2635988F39AF251461DE136CDE	312B120E14CA19869EB253541BF04FDB70F31C99FF055573F446B17FDCB91919
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250318011748Z-159.bmp	PC bitmap, Windows 3.x format, 164 x -116 x 32, cbSize 76150, bits offset 54	BF9603819489E574D264F869AD0CD4BC	E9513E85CE19AC9D2FB5BA8729646DE969166DBE	9652BAC4A7860105B083EB3D92249E74675B6CCF22633DCD1B118BC9360E7DAC
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 2, database pages 14, cookie 0x5, schema 4, UTF-8, version-valid-for 2	A4D5FECEFE05F21D6F81ACF4D9A788CF	1A9AC236C80F2A2809F7DE374072E2FCCA5A775C	83BE4623D80FFB402FBDEC4125671DF532845A3828A1B378D99BD243A4FD8FF2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	4654475C15C15059ACDADF4219AFF60B	65953FB175C529B4DF3568932728ACCA72984375	B980DD4692C527FC5A6C830A1E289BCE24C7838E4D4AD522D04BCCE762619407
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	83142242E97B8953C386F988AA694E4A	833ED12FC15B356136DCDD27C61A50F59C5C7D50	D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	5F69F2849FA87962A722F25F2ADE845E	53968DF98022CC3B80CCE3D7A4C12E0B592ECC7C	6F50795678D8226C8BFA8C71DC51A050C02A8A13AEA9598FEEFE1270EBD6F3D3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	02C16AE756D149B00D9EE439E65982B5	71853BD20076A2D1C8902E60629E6ED2462E9BD8	2C49B1CEA6EDAC1A5619E167B996B69DCA5AEB6A548C798959617EEF14288FDA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6356	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)	PostScript document text	94185C5850C26B3C6FC24ABC385CDA58	42F042285037B0C35BC4226D387F88C770AB5CAA	1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	92B3894311C2260A797AF72363876DB5	4F40DA4220F0179133C1A45721F13E32EDA92830	D1BEA0400036374C9642C82DAAE514716C74A649F74E371A5A605B8C8CBB248F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	17EF11B0AE591EABC251369F58DF9D06	BDABA65E561194C933899A4BFCFB3101A997EDA2	516221166463F6AAAC1C7E6EC177659680C546B3A4363969DA6147F879E56DE3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	D21F713B738A6F2670DA234875C94D31	6B7EFB283D33703C33BBCD1A596272D534DB4037	F0459CC97D1AF903E4678F9B27BABFD8385F6314A2CDDD5470985FBB612E74C2
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	A6696B94BFD117577A16B02C07760B8F	920876BCAB4E8A7F5F9EE14B52148426CFF5D14F	004BCC5677BDF9E51FBB7EB3384C3097FE16C6408AC4E8DA33271805C18BF3E9
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	0B359BBA7E32D652FB3A44F1693BEF0A	33521BDCC9630DD26286EE9CD425873C1D59BB0D	35C03A87B5C90862F79B79A25DCE54ED20C30A29C53733BBD64E1F1F082F5999
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	252CDDFBF2143785C0446E23B8CCFB2D	4F1248A77B3A436D35AF7F88CB340E754ADD8740	5971215374B9D8C537ABA296A44C890179C352E88D3CA73C47D51C95E39082D2
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	AE2F5C07B705E1B22692BE9FEAA2B8C8	668521E368EF65E980DD3C28931D4974382427CB	25D9A3A4968C052FA43AB97B16C22B3433E28F27FE170B9A26A374D29FF2C731
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	8B1CF2B7EF3616BC9F238795DDD7DFDA	0C056ED844B1EEF9ED41BF172A6E2045DFB130AC	B649189ECA1588459349FAA02F33B617B6C987513EE7701D3C52D7E09DBA7A45
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	88583798501983AC8554BCDA3D3885B1	025735B98F0AA855660E42FC7EE9A4AD18CD6E69	6AC2D00434C0BBA8876FF0D4AA83AB833A9CA07FA377AE24D39ACF221D064FD9
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	282873D4768D309334C0403D201F48EB	665C6BEC904E46624898466550829BFE92E66D97	0423BAC8E98D716A9612F5B7638200AA1EAE5B4F3018E098A1F66074B1D9C6A1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	2B70F642802E99255EF121A380E77019	256439697755F983E65D8BBD6FD8CB2BC12943F7	B943DD284659A33E14264C2588CFD5786E9FD7D5C88B23F36E3674E0AE6BF417
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	1605B791864AF20DEEC3A2F4813A44F2	19B6E86684F70FCE20395A66942CAE46FBE5D885	BA6D5C4FDFD82823C6405C2D88967C78A0C59F911DBF6CA28D1317688A3B39EA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	D06C7435490BA89DEDB71BAE3E0FD9D1	1A1BC333C7C17EE8888FAAA764C4309394A5D27D	5BF4D7687F8460FA937B302EB3B8EE1DFD9239240F544E365F12ACC82E168888
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	1226A1F7593772B466C468CBCDACB6DA	8483F5B443085EA9CE458589F5BA6D7130D28FE4	0FCFD50BA46998A0F31ACCE0838B696B12879CEEE908ED58810C6A2E737B5E82
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	6DEB7FF3D875A9DA18977F0DB892671B	9CA830C22B0E564534EEF865D632694937B64FC6	2D27600D46B5F942915AF4E69F42DED7D914B5DA7D1DD32BCC8594777F49A7D3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	499A7332FE225AFE510665C886DB8AAA	8098C58E7B9DCB2B3094EBFE140667E791E17D58	8D81A3D97B1B2479B385418E7B426F34BBDA6F727CB1BDE192C7AA647D1D89DC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	E9785D0774BF21EF632F817D6B97EACC	D4929DB238FD3AD28A20F0ACF1BD2B18D68C5A98	7695E554000108DFB365FAFC541F272A2BED21BC60C1BFDEBEA1881196BDC2C4
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19	B1BDFB2F9F39067EB67B54EA88E56CC0	C4AAE87B5BDB4D9873991395042C1EEDBB54ACF4	F46C67E572E46438DAF9BAA96043CD6EF4D0C5F2ADA76A781580A9E4BA9A8C25
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	FCF973D7E11919E069D34A68089C9F01	C61D7763AFAF2BD7A2A299105ACFD71D30239A51	0AA9DBC466F1817CD8DF9C1F1D3F560FB675D09588FF1C34B10ABD4A413DCE82
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-03-17 21-17-47-465.log	ASCII text, with very long lines (393)	91F06491552FC977E9E8AF47786EE7C1	8FEB27904897FFCC2BE1A985D479D7F75F11CEFC	06582F9F48220653B0CB355A53A9B145DA049C536D00095C57FCB3E941BA90BB
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	BACB4E30B74A42FC33ADD80DF33E87D1	ACDC76D19CF811127875D384BCCC15D0DFF5C11A	8D0AF1305FDC626F3068BD442D084646296C0E48A96D83D4739F6A007CFC32DD
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	8E0F3037507CADDF24CF52FE250984E4	8C7EC300E4CD4D3ACD0BFBB603BB7A64FB8A6AAA	978EB853EFEEDC89F2757842CB357694D4CFD419FB0B0D2DF082E0F4B990A934
C:\Users\user\AppData\Local\Temp\acrocef_low\29086d70-6c62-4492-a5e4-7ac8afbc783a.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	1D64D25345DD73F100517644279994E6	DE807F82098D469302955DCBE1A963CD6E887737	0A05C4CE0C4D8527D79A3C9CEE2A8B73475F53E18544622E4656C598BC814DFC
C:\Users\user\AppData\Local\Temp\acrocef_low\3ed50fb7-becc-4b71-9378-8299e9fcbda8.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	9E1C73A645A9305F006E8DEACABC2978	1871A2DED53AD50892F721C92197F18F1EAC7A4D	40D3FED1293133C81742989E75B7C37363068D96DFABF6E4890A452D97A13931
C:\Users\user\AppData\Local\Temp\acrocef_low\7745a554-986b-4486-9a64-855e5b670b9a.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\7e96f4f3-8c6d-48d4-aab1-cca13d62e1fb.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
Chrome Cache Entry: 165	Web Open Font Format (Version 2), TrueType, length 48556, version 1.0	D4FE31E6A2AEBC06B8D6E558C9141119	BCDC4F0B431D4C8065A83BB736C56FF6494D0091	C88DB2401BEF7E1203E0933CC5525A0F81863BFD076756DB12ACEA5596F089EC
Chrome Cache Entry: 166	ASCII text, with very long lines (25852), with no line terminators	4D20A87593E1DE9AFDC5FB97A01A296E	DAEE7E2BD2091C55CC772E36E2314771F6CCAAF3	1B10C59AE7D0B93F12F6C5009D696F30AF1833ED504DAC8A637960B4AA489966
Chrome Cache Entry: 167	HTML document, ASCII text	218C66F84E6B32345DEA5E5B28B42EF7	C24010862824B25386563AA89B66770973C67D7F	0278C46C1C78552EC864A565E51C9CDBFD48F56287CABF0F4074D7ED9A040241
Chrome Cache Entry: 168	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	7146329B3E36F8FC9DEE18EF6F476C60	776C487A282962E36721485301C7CE0509DE6D79	C3D03783AB15F136F25C3704C8ECC248A363FB7A9F0CB199C586AFBB23C0BAA9
Chrome Cache Entry: 169	ASCII text, with very long lines (65536), with no line terminators	6A019D87D11C571AA335391A58D35B1E	CF3AF1AEEA8BFD0967FD603E25DD78830CAC9F7C	DA767CEBC150F1514EF1A77027D8E40CCB85D70AC192C8EC7E533B7DF8B27CE2
Chrome Cache Entry: 170	HTML document, ASCII text, with very long lines (4226), with no line terminators	7F47BC7FBE0BB5643CDFB5EB0A402FB4	379E9894F99385AA04BE326317D3670432093ECC	3B40DBD920CC9359E9760BC8258E38613DAF30BFC84CE5D45B080EBDDEDA4D8D
Chrome Cache Entry: 171	ASCII text, with very long lines (26799), with no line terminators	8DC3D078E42EBF368DD46367D3CF84FC	C28DFFB7DF74B4F740BF81427B58473EAF64C632	18D381F8E6BB6ACB4090DFDD10C01AE45E9F6578EF7B6E89F633253F2C521A61
Chrome Cache Entry: 172	ASCII text, with very long lines (15916)	FBC1D840518919308E492242A3D49EDE	204507669DD797527D00333E2BEC2DB907CB32AF	682478B328444CFE35A64BA8EB7CD7F51C663FDB49334FBBB457EADED9EAEF7D
Chrome Cache Entry: 173	ASCII text, with very long lines (65536), with no line terminators	DF0306F93D63C8575037525D36D5EC28	53A5DFE604B624BE8B26429CF1C8AAFD502F1A48	60A2ADA8856612216A2EFA74E137EDC8ED205E4E311616E1F7377A8D12B41477
Chrome Cache Entry: 174	ASCII text, with very long lines (65536), with no line terminators	C0E130F57A2968DCE9006BD0A287F7C4	5C86DCD1413A7DC414662A6246C798332CA48805	8260C684AA470B3643FADDB4790DD3C19914C3FCA9193399A5D46FD0B772718D
Chrome Cache Entry: 175	ASCII text, with very long lines (52504), with no line terminators	78F16114DDBA08EF9CECCC78F5D2687C	7221E9FB9C495CB5C780592DD939D2F2D12F9247	9553E0128C18DB4FF381903E30D7BFA2CB7E1551F7F98C478A43DAD6501AA235
Chrome Cache Entry: 177	ASCII text, with very long lines (65536), with no line terminators	F898F52850E538C3CCC5840D20088FA4	B53A3D620F59D9BB3E14F70707206F8F584A2000	2B4B86349D1CE0DF01516EC555E37369ECD3F3302F19B9D6E93906909FFABFED
Chrome Cache Entry: 179	ASCII text, with very long lines (612), with no line terminators	0637605D83D35A33BF15BD0EA4F780AB	A5362A0B0447AEFFF4345D62637B74F95F84958B	4DF61D80C041AF80DE45A8C7B05915B2598585D93E9B8004DC87E6B4D4819CC0

AV Detection

Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN?S=bjones@lakeland.cc.il.us	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.us	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/fd9d1056-4f5113e8da6db9c7.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/webpack-20efd41c90b5bcbd.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/media/a34f9d1faa5f3315.p.woff2	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/app/not-found-9fcb5dc5d913bcdb.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/23-e33e3d623cf28c17.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/css/7b64cd318fb77179.css	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/main-app-653c0408c14c4864.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/?S=bjones@lakeland.cc.il.us	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/app/page-c71772bf3bad0174.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/chunks/92-2a0dad65b64d730c.js	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/_next/static/css/f796ea3b426fcf90.css	Avira URL Cloud: Label: malware
Source: https://sdspprfd-tftfrtrghf34f3drrs3.net/?S=jjohns@lakeland.cc.il.us	Avira URL Cloud: Label: malware

Phishing

Source: Yara match

File source: dropped/chromecache_166, type: DROPPED

Source: PDF document

Joe Sandbox AI: PDF document contains QR code

Source: 0.0..script.csv

Joe Sandbox AI: Detected suspicious JavaScript with source url: https://khfreightgroup.com/awsfrvc/wsrcfwasdesf/lo... This script demonstrates several high-risk behaviors, including the use of dynamic code execution (via `decodeEmail` function), data exfiltration (sending the decoded email to an untrusted domain), and the use of an obfuscated URL. The combination of these factors, along with the suspicious redirect to an unknown domain, indicates a high likelihood of malicious intent.

Compliance

Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.16:49722 version: TLS 1.2

Software Vulnerabilities

Source: chrome.exe

Memory has grown: Private usage: 17MB later: 37MB

Networking

Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:49740 -> 1.1.1.1:53

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.195

Source: global traffic	HTTP traffic detected: GET /awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVz HTTP/1.1Host: khfreightgroup.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVz HTTP/1.1Host: khfreightgroup.comConnection: keep-aliveCache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://khfreightgroup.com/awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVzAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: khfreightgroup.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://khfreightgroup.com/awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVzAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/05/cropped-KH-Freight-Icon-32x32.png HTTP/1.1Host: khfreightgroup.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://khfreightgroup.com/awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVzAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2024/05/cropped-KH-Freight-Icon-32x32.png HTTP/1.1Host: khfreightgroup.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lq3uzfH9rN?S=bjones@lakeland.cc.il.us HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://khfreightgroup.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lq3uzfH9rN/?S=bjones%40lakeland.cc.il.us HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://khfreightgroup.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/7b64cd318fb77179.css HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/media/a34f9d1faa5f3315.p.woff2 HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-aliveOrigin: https://sdspprfd-tftfrtrghf34f3drrs3.netsec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/webpack-20efd41c90b5bcbd.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/fd9d1056-4f5113e8da6db9c7.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/23-e33e3d623cf28c17.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/main-app-653c0408c14c4864.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/not-found-9fcb5dc5d913bcdb.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /?S=bjones@lakeland.cc.il.us HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/lq3uzfH9rN/?S=bjones%40lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/css/f796ea3b426fcf90.css HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/?S=bjones@lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/92-2a0dad65b64d730c.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/?S=bjones@lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_next/static/chunks/app/page-c71772bf3bad0174.js HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://sdspprfd-tftfrtrghf34f3drrs3.net/?S=bjones@lakeland.cc.il.usAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?S=jjohns@lakeland.cc.il.us HTTP/1.1Host: sdspprfd-tftfrtrghf34f3drrs3.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: khfreightgroup.com
Source: global traffic	DNS traffic detected: DNS query: sdspprfd-tftfrtrghf34f3drrs3.net
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: unknown

HTTP traffic detected: POST /report/v4?s=Kka7siyfKKzh0DHyAAs5LLTT2aN7pS%2Bqrfw55tzojkxRCne0dyUrgcHj8QX6HpmOaB4%2FywnN39pt%2FyFZv335nnPj7C%2Fg3qvccqv3frvp99GFev5vl%2FNF0TpkY1svgF06d8Subml9hCqNAuueHB0E53zEzw%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 467Content-Type: application/reports+jsonOrigin: https://sdspprfd-tftfrtrghf34f3drrs3.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Mar 2025 01:17:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, max-age=0, must-revalidatevary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Accept-Encodinglink: </_next/static/media/a34f9d1faa5f3315.p.woff2>; rel=preload; as="font"; crossorigin=""; type="font/woff2"x-powered-by: Next.jscf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kka7siyfKKzh0DHyAAs5LLTT2aN7pS%2Bqrfw55tzojkxRCne0dyUrgcHj8QX6HpmOaB4%2FywnN39pt%2FyFZv335nnPj7C%2Fg3qvccqv3frvp99GFev5vl%2FNF0TpkY1svgF06d8Subml9hCqNAuueHB0E53zEzw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9220e4903c29440e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2691&min_rtt=1705&rtt_var=1343&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3096&recv_bytes=1318&delivery_rate=2568914&cwnd=216&unsent_bytes=0&cid=ec09375f3d8c0594&ts=759&x=0"

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49679 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.25.215:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.16:49722 version: TLS 1.2

System Summary

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7032_223180313

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7032_223180313

Source: classification engine

Classification label: mal64.phis.winPDF@36/54@11/179

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6356

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-03-17 21-17-47-465.log

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\virus.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1604 --field-trial-handle=1568,i,7923655495327458657,17984682865062963080,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://khfreightgroup.com/awsfrvc/wsrcfwasdesf/looosafvcsfe/wafcarrfw/?email=YmpvbmVzQGxha2VsYW5kLmNjLmlsLnVz
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,13355097746480612969,17419181852337752689,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2084 /prefetch:3
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1604 --field-trial-handle=1568,i,7923655495327458657,17984682865062963080,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1960,i,13355097746480612969,17419181852337752689,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2084 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: virus.pdf	Initial sample: PDF keyword /JS count = 0
Source: virus.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: virus.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation