Loading ...

Play interactive tourEdit tour

Analysis Report 08022419_Julie.grygiel.pdf

Overview

General Information

Sample Name:08022419_Julie.grygiel.pdf
Analysis ID:298611
MD5:5f9c014cb8c2605e208eb53aaf34b0c8
SHA1:169b7025a682ac68741b6bf340cf80ac82a9d90d
SHA256:cb4507b30444b462ec636866bce0cbd7e2bd1dd5351dee779070ff24b0062e76

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PDF has an OpenAction (likely to launch a dropper script)

Classification

Startup

  • System is w10x64
  • AcroRd32.exe (PID: 6380 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\08022419_Julie.grygiel.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 6440 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\08022419_Julie.grygiel.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • RdrCEF.exe (PID: 6652 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6800 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,6709987170357796963,15404933372821653144,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14571707367077962139 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14571707367077962139 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6824 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,6709987170357796963,15404933372821653144,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=7081658855330410287 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6868 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,6709987170357796963,15404933372821653144,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=2401258177305343249 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2401258177305343249 --renderer-client-id=4 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6068 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,6709987170357796963,15404933372821653144,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=507945144895379479 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=507945144895379479 --renderer-client-id=5 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
    • iexplore.exe (PID: 5580 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.tetratech.com.xliljbwzjx.xliljbwzjx.officewebcenter.com/#anVsaWUuZ3J5Z2llbEB0ZXRyYXRlY2guY29t MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 4416 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\authorize_client_id_ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: https://vdeskcenter.com/cy/authorize_client_id:ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs?data=anVsaWUuZ3J5Z2llbEB0ZXRyYXRlY2guY29tSlashNext: Label: Fake Login Page type: Phishing & Social Engineering
    Source: https://vdeskcenter.com/cy/authorize_client_id:ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs?data=anVsaWUuZ3J5Z2llbEB0ZXRyYXRlY2guY29tUrlScan: Label: phishing brand: microsoftPerma Link

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: https://vdeskcenter.com/cy/authorize_client_id:ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs?data=anVsaWUuZ3J5Z2llbEB0ZXRyYXRlY2guY29tMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish_10Show sources
    Source: Yara matchFile source: 992547.pages.csv, type: HTML
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\authorize_client_id_ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs[1].htm, type: DROPPED
    Source: Joe Sandbox ViewIP Address: 80.0.0.0 80.0.0.0
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.tetratech.com.xliljbwzjx.xliljbwzjx.officewebcenter.comConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: officewebcenter.com
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/.3/q
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/l
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/l
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#e
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#4
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#I
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#P
    Source: AcroRd32.exe, 00000001.00000002.412142044.000000000ACC4000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
    Source: AcroRd32.exe, 00000001.00000002.412142044.000000000ACC4000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/C
    Source: AcroRd32.exe, 00000001.00000002.412142044.000000000ACC4000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/H
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
    Source: AcroRd32.exe, 00000001.00000002.396613352.0000000007300000.00000002.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
    Source: 08022419_Julie.grygiel.pdfString found in binary or memory: http://www.tcpdf.org
    Source: AcroRd32.exe, 00000001.00000002.400068452.0000000008AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.tcpdf.org)
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: http://xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.Tetratech.com.xliljbwzjx.xliljbwzjx.of
    Source: AcroRd32.exe, 00000001.00000002.412214871.000000000AD11000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmp, ~DF4D4DE348481AC969.TMP.20.dr, {7823A5CC-0F31-11EB-90E5-ECF4BB570DC9}.dat.20.drString found in binary or memory: http://xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.xliljbwzjx.tetratech.com.xliljbwzjx.xliljbwzjx.of
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/1
    Source: AcroRd32.exe, 00000001.00000002.412520712.000000000AE67000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/:
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/3c
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/i
    Source: AcroRd32.exe, 00000001.00000002.412442877.000000000AE03000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/r3
    Source: VEFYKJ6J.htm.21.drString found in binary or memory: https://anywebpc.xyz/vx/gdte/kfjgjg/
    Source: ~DF4D4DE348481AC969.TMP.20.drString found in binary or memory: https://anywebpc.xyz/vx/gdte/kfjgjg/anVsaWUuZ3J5Z2llbEB0ZXRyYXRlY2guY29tbwzjx.officewebcenter.com/#a
    Source: AcroRd32.exe, 00000001.00000002.412621944.000000000AEEB000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com
    Source: AcroRd32.exe, 00000001.00000002.412621944.000000000AEEB000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comng
    Source: authorize_client_id_ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6wliqxodhcrj2n089vya3bwye4tfznhqlmgc5s87j9i6ka2rpo3u1xvd0l4encody6k2j17wumi958bgpqxhar3t0vzfs[1].htm.21.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
    Source: AcroRd32.exe, 00000001.00000002.400068452.0000000008AD0000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
    Source: ~DF4D4DE348481AC969.TMP.20.dr, {7823A5CC-0F31-11EB-90E5-ECF4BB570DC9}.dat.20.drString found in binary or memory: https://vdeskcenter.com/cy/authorize_client_id:ejdh4kb1-ds5g-yvw5-qbi2-fjzbsnyuwt3h_p4ube15skg7mfzt6
    Source: imagestore.dat.21.drString found in binary or memory: https://vdeskcenter.com/cy/images/favicon.ico~
    Source: AcroRd32.exe, 00000001.00000002.399747941.00000000081BD000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknown