Loading ...

Play interactive tourEdit tour

Analysis Report Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf

Overview

General Information

Sample Name:Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf
Analysis ID:285616
MD5:daae35ff818b3357342f67df888031f8
SHA1:464b5a43b7a090e2eff909d9f4595bd0098cf6d8
SHA256:c36a7f4b5b0231dbef0434057c41ba9681765dd46e44f59f9bc6a5e4b95171e1

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
IP address seen in connection with other malware

Classification

Startup

  • System is w10x64
  • AcroRd32.exe (PID: 6632 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 6692 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • RdrCEF.exe (PID: 6888 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 7100 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15842901780152505847 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15842901780152505847 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6188 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=4185418280450592262 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 1740 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3160251875389311476 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3160251875389311476 --renderer-client-id=4 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 5808 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=13012762067480040308 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13012762067480040308 --renderer-client-id=5 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Joe Sandbox ViewIP Address: 80.0.0.0 80.0.0.0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/Z
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000003.233839764.000000000B570000.00000004.00000001.sdmpString found in binary or memory: http://losttype.com
Source: AcroRd32.exe, 00000001.00000002.517148972.000000000B5C9000.00000004.00000001.sdmpString found in binary or memory: http://losttype.com/http://jamestedmondson.com/
Source: AcroRd32.exe, 00000001.00000002.517148972.000000000B5C9000.00000004.00000001.sdmpString found in binary or memory: http://losttype.com/http://jamestedmondson.com/Copyright
Source: AcroRd32.exe, 00000001.00000003.233839764.000000000B570000.00000004.00000001.sdmpString found in binary or memory: http://losttype.com/http://jamestedmondson.com/UU
Source: AcroRd32.exe, 00000001.00000003.219473576.000000000A7B8000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.527170285.000000000D2DF000.00000004.00000001.sdmpString found in binary or memory: http://www.adobe.
Source: AcroRd32.exe, 00000001.00000002.527170285.000000000D2DF000.00000004.00000001.sdmpString found in binary or memory: http://www.adobe.coX
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/1
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/k
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#D
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#8
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#Z
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#y
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/p
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/%
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/.
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.496283067.0000000007BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.520948866.000000000B85C000.00000004.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000002.526822048.000000000D227000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/2
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/42=e
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/bx
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l2ee
Source: AcroRd32.exe, 00000001.00000002.526822048.000000000D227000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/WO
Source: AcroRd32.exe, 00000001.00000002.526538602.000000000D0DA000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.526538602.000000000D0DA000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comgs
Source: AcroRd32.exe, 00000001.00000002.503828178.0000000009303000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.502820713.0000000008AAD000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: AcroRd32.exe, 00000001.00000002.516890050.000000000B4DA000.00000004.00000001.sdmpString found in binary or memory: https://www.ehealth.fgov.be/file/view/AXHXIsnbl9vUUfvGGep3?filename=Invulblad%20contacten%20NL.docx
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.ehealth.fgov.be/file/view/AXHXIsnbl9vUUfvGGep3?filename=Invulblad%20contacten%20NL.docx)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.sport.vlaanderen/media/13572/voor-de-sporters.pdf
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmp, Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.sport.vlaanderen/media/13572/voor-de-sporters.pdf)
Source: AcroRd32.exe, 00000001.00000002.514251850.000000000A7DF000.00000004.00000001.sdmpString found in binary or memory: https://www.sport.vlaanderen/media/13868/leidraad.pdf
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.sport.vlaanderen/media/13868/leidraad.pdf)
Source: AcroRd32.exe, 00000001.00000002.516588304.000000000B343000.00000004.00000001.sdmpString found in binary or memory: https://www.voetbalvlaanderen.be/competitie/voetballen-coronatijden
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmp, Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.voetbalvlaanderen.be/competitie/voetballen-coronatijden)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.wablieft.be/nl/corona-in-eenvoudige-taal
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.wablieft.be/nl/corona-in-eenvoudige-taal)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.wablieft.be/nl/corona-in-eenvoudige-taalf)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.wablieft.be/nl/corona-in-eenvoudige-taalj(
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.zorg-en-gezondheid.be/contactonderzoek
Source: AcroRd32.exe, 00000001.00000002.513281026.000000000A6D5000.00000004.00000001.sdmp, Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.zorg-en-gezondheid.be/contactonderzoek)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.zorg-en-gezondheid.be/contactpersonen-en-reizigers
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.zorg-en-gezondheid.be/contactpersonen-en-reizigers)
Source: AcroRd32.exe, 00000001.00000002.519046383.000000000B690000.00000004.00000001.sdmpString found in binary or memory: https://www.zorg-en-gezondheid.be/contactpersonen-en-reizigersP(3ce
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfString found in binary or memory: https://www.zorg-en-gezondheid.be/sites/default/files/atoms/files/Folder_contactonderzoek_juli-2020.
Source: classification engineClassification label: clean1.winPDF@13/46@0/2
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.zorg-en-gezondheid.be/contactonderzoek
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.sport.vlaanderen/media/13868/leidraad.pdf
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:https://www.voetbalvlaanderen.be/competitie/voetballen-coronatijden
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:carl.coopmans@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.zorg-en-gezondheid.be/contactpersonen-en-reizigers
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:pc.foot.antwerpen@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:pc.foot.oostvlaanderen@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:administratie@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.zorg-en-gezondheid.be/sites/default/files/atoms/files/folder_contactonderzoek_juli-2020.pdf
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.sport.vlaanderen/media/13572/voor-de-sporters.pdf
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.ehealth.fgov.be/file/view/AXHXIsnbl9vUUfvGGep3?filename=Invulblad%20contacten%20NL.docx
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:bart.huylebroeck@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.zorg-en-gezondheid.be/sites/default/files/atoms/files/Folder_contactonderzoek_juli-2020.pdf
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:pc.foot.westvlaanderen@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.wablieft.be/nl/corona-in-eenvoudige-taal
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: https://www.ehealth.fgov.be/file/view/axhxisnbl9vuufvggep3?filename=invulblad%20contacten%20nl.docx
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:jurgen.de.bondt@voetbalvlaanderen.be
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: mailto:minivoetbal@voetbalvlaanderen.be
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIconsJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rrlmcjf_1cmbva8_55w.tmpJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15842901780152505847 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15842901780152505847 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=4185418280450592262 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3160251875389311476 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3160251875389311476 --renderer-client-id=4 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=13012762067480040308 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13012762067480040308 --renderer-client-id=5 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15842901780152505847 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15842901780152505847 --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=4185418280450592262 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3160251875389311476 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3160251875389311476 --renderer-client-id=4 --mojo-platform-channel-handle=1864 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1716,3574153316513231052,11236284257914492249,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=13012762067480040308 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13012762067480040308 --renderer-client-id=5 --mojo-platform-channel-handle=2140 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: PDF keyword /JS count = 0
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: PDF keyword /JavaScript count = 0
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
Source: Coronaprotocol Voetbal Vlaanderen - DEF - 01 09 20.pdfInitial sample: PDF keyword obj count = 103
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: AcroRd32.exe, 00000001.00000002.526608247.000000000D123000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY7n3
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeCode function: 1_2_04F981D0 LdrInitializeThunk,1_2_04F981D0
Source: AcroRd32.exe, 00000001.00000002.491158930.0000000005910000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.491158930.0000000005910000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.491158930.0000000005910000.00000002.00000001.sdmpBinary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.491158930.0000000005910000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Spearphishing Link1Windows Management InstrumentationPath InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet