Loading ...

Play interactive tourEdit tour

Analysis Report TETRATECH Covid-19 Stimulus Funds.pdf

Overview

General Information

Sample Name:TETRATECH Covid-19 Stimulus Funds.pdf
Analysis ID:349485
MD5:63deffe4ac48f83f4ee319d30e6bf44b
SHA1:e7a4742dd14ad017c56e5a6af04e5ccfc851967b
SHA256:96355ec73c87cf7e781723c8fe1ebc9a7e91a23cdaeef4d4cc0b65077a9c5814

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Startup

  • System is w10x64
  • AcroRd32.exe (PID: 808 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\TETRATECH Covid-19 Stimulus Funds.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\TETRATECH Covid-19 Stimulus Funds.pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • RdrCEF.exe (PID: 6168 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3954240331908333317 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3954240331908333317 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6740 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=10276253575640265967 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6608 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14130125459791333574 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14130125459791333574 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 7084 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8407246014169871722 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8407246014169871722 --renderer-client-id=5 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
    • iexplore.exe (PID: 2740 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' https://my-site-105523-100173.weeblysite.com/ MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 4528 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 199.34.228.96:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.34.228.96:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.212.183.219:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.212.183.219:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 151.101.1.46 151.101.1.46
Source: Joe Sandbox ViewIP Address: 151.101.1.46 151.101.1.46
Source: Joe Sandbox ViewIP Address: 80.0.0.0 80.0.0.0
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: msapplication.xml0.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x90ded133,0x01d6fc0d</date><accdate>0x90ded133,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x90ded133,0x01d6fc0d</date><accdate>0x90e13143,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x90e5f66a,0x01d6fc0d</date><accdate>0x90e5f66a,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x90e5f66a,0x01d6fc0d</date><accdate>0x90e5f66a,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x90e8587f,0x01d6fc0d</date><accdate>0x90e8587f,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.18.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x90e8587f,0x01d6fc0d</date><accdate>0x90e8587f,0x01d6fc0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: weeblysite.com
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/(15)
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/_1
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/4
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/-29/
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#8-02-29/m#D
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#y#
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/bo
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#V
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#b#
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type##nifestItem#r
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: msapplication.xml.18.drString found in binary or memory: http://www.amazon.com/
Source: site.19e2b99b084b05df36a8.en[1].js.19.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: msapplication.xml1.18.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.18.drString found in binary or memory: http://www.live.com/
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000003.804623464.000000000B3A7000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/?n
Source: msapplication.xml3.18.drString found in binary or memory: http://www.nytimes.com/
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.806893936.0000000007920000.00000002.00000001.sdmpString found in binary or memory: http://www.quicktime.com.Acrobat
Source: msapplication.xml4.18.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.18.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.18.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.18.drString found in binary or memory: http://www.youtube.com/
Source: AcroRd32.exe, 00000001.00000002.822702941.000000000CEC5000.00000004.00000001.sdmpString found in binary or memory: https://.OKCancelEdit
Source: AcroRd32.exe, 00000001.00000002.821877638.000000000CC18000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000002.821877638.000000000CC18000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/A
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/jM
Source: AcroRd32.exe, 00000001.00000002.822563679.000000000CE8C000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.822563679.000000000CE8C000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comH
Source: AcroRd32.exe, 00000001.00000002.822563679.000000000CE8C000.00000004.00000001.sdmpString found in binary or memory: https://api.echosign.comRLW
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/checkout/assets/checkout/css/cko.e4d7b6c3391e50ded088.css
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/checkout/assets/checkout/imports.en.5190980851c8e63fd7692575cadd2295
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/checkout/assets/checkout/js/system.min.b9e210033fc5b0895164e282cbf89
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/website/
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/website/css/site.19e2b99b084b05df36a8.css
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/website/js/runtime.4c27edfb51f63cc2e6e5.en.js
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn3.editmysite.com/app/website/js/site.19e2b99b084b05df36a8.en.js
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://cdn4.editmysite.com
Source: site.19e2b99b084b05df36a8.en[1].js.19.drString found in binary or memory: https://f.fontdeck.com/s/css/js/
Source: site.19e2b99b084b05df36a8.en[1].js.19.drString found in binary or memory: https://feross.org
Source: site.19e2b99b084b05df36a8[1].css.19.drString found in binary or memory: https://getbootstrap.com/)
Source: site.19e2b99b084b05df36a8[1].css.19.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://images.editor.website
Source: AcroRd32.exe, 00000001.00000002.811859867.0000000009175000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.811859867.0000000009175000.00000004.00000001.sdmpString found in binary or memory: https://ims-na1.adobelogin.com(
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://js.squareup.com/v2/paymentform
Source: AcroRd32.exe, 00000001.00000002.805992709.000000000510D000.00000004.00000020.sdmpString found in binary or memory: https://my-site-105523-100173.weebl
Source: AcroRd32.exe, 00000001.00000002.821877638.000000000CC18000.00000004.00000001.sdmp, FVZBQN4S.htm.19.drString found in binary or memory: https://my-site-105523-100173.weeblysite.com
Source: AcroRd32.exe, 00000001.00000002.806360065.00000000057D0000.00000002.00000001.sdmp, AcroRd32.exe, 00000001.00000002.819505702.000000000B13F000.00000004.00000001.sdmp, ~DF4E0B9E52D160D036.TMP.18.drString found in binary or memory: https://my-site-105523-100173.weeblysite.com/
Source: my-site-105523-100173.weeblysite[1].xml.19.drString found in binary or memory: https://my-site-105523-100173.weeblysite.com/&quot;
Source: TETRATECH Covid-19 Stimulus Funds.pdfString found in binary or memory: https://my-site-105523-100173.weeblysite.com/)
Source: AcroRd32.exe, 00000001.00000002.819505702.000000000B13F000.00000004.00000001.sdmpString found in binary or memory: https://my-site-105523-100173.weeblysite.com/:
Source: {B9DB4C8A-6800-11EB-90EB-ECF4BBEA1588}.dat.18.drString found in binary or memory: https://my-site-105523-100173.weeblysite.com/Root
Source: AcroRd32.exe, 00000001.00000002.819505702.000000000B13F000.00000004.00000001.sdmpString found in binary or memory: https://my-site-105523-100173.weeblysite.com/Y
Source: AcroRd32.exe, 00000001.00000002.819505702.000000000B13F000.00000004.00000001.sdmpString found in binary or memory: https://my-site-105523-100173.weeblysite.com/k
Source: AcroRd32.exe, 00000001.00000002.820173613.000000000B342000.00000004.00000001.sdmpString found in binary or memory: https://my-site-105523-100173.weeblysite.com/p
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://sandbox.square.online
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://square.online
Source: site.19e2b99b084b05df36a8.en[1].js.19.drString found in binary or memory: https://use.typekit.net
Source: AcroRd32.exe, 00000001.00000002.811408834.00000000087DD000.00000002.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://www.editmysite.com
Source: FVZBQN4S.htm.19.drString found in binary or memory: https://www.weebly.com
Source: imagestore.dat.19.dr, FVZBQN4S.htm.19.drString found in binary or memory: https://www.weebly.com/favicon.ico
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownHTTPS traffic detected: 199.34.228.96:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.34.228.96:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.1.46:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.212.183.219:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.212.183.219:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknownHTTPS traffic detected: 74.115.50.110:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: classification engineClassification label: clean1.winPDF@17/74@8/6
Source: TETRATECH Covid-19 Stimulus Funds.pdfInitial sample: https://my-site-105523-100173.weeblysite.com/
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIconsJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R2uw3yd_7nbm5d_4uw.tmpJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\TETRATECH Covid-19 Stimulus Funds.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\TETRATECH Covid-19 Stimulus Funds.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3954240331908333317 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3954240331908333317 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=10276253575640265967 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14130125459791333574 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14130125459791333574 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8407246014169871722 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8407246014169871722 --renderer-client-id=5 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job /prefetch:1
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://my-site-105523-100173.weeblysite.com/
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\TETRATECH Covid-19 Stimulus Funds.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://my-site-105523-100173.weeblysite.com/Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3954240331908333317 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3954240331908333317 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=10276253575640265967 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14130125459791333574 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14130125459791333574 --renderer-client-id=4 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1728,5754072549746782878,9114216532001329358,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8407246014169871722 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8407246014169871722 --renderer-client-id=5 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job /prefetch:1Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: TETRATECH Covid-19 Stimulus Funds.pdfInitial sample: PDF keyword /JS count = 0
Source: TETRATECH Covid-19 Stimulus Funds.pdfInitial sample: PDF keyword /JavaScript count = 0
Source: TETRATECH Covid-19 Stimulus Funds.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: AcroRd32.exe, 00000001.00000002.822117594.000000000CC83000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeCode function: 1_2_04E0B1D0 LdrInitializeThunk,1_2_04E0B1D0
Source: AcroRd32.exe, 00000001.00000002.806360065.00000000057D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.806360065.00000000057D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.806360065.00000000057D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.806360065.00000000057D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Spearphishing Link1Windows Management InstrumentationPath InterceptionProcess Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 349485 Sample: TETRATECH Covid-19 Stimulus... Startdate: 05/02/2021 Architecture: WINDOWS Score: 1 35 www.weebly.com 2->35 37 weebly.com 2->37 7 AcroRd32.exe 17 48 2->7         started        process3 process4 9 RdrCEF.exe 54 7->9         started        12 iexplore.exe 1 76 7->12         started        14 AcroRd32.exe 10 7 7->14         started        dnsIp5 39 192.168.2.1 unknown unknown 9->39 16 RdrCEF.exe 9->16         started        19 RdrCEF.exe 9->19         started        21 RdrCEF.exe 9->21         started        23 RdrCEF.exe 9->23         started        41 weeblysite.com 12->41 43 my-site-105523-100173.weeblysite.com 12->43 25 iexplore.exe 5 45 12->25         started        45 weeblysite.com 14->45 process6 dnsIp7 27 80.0.0.0 NTLGB United Kingdom 16->27 29 weeblysite.com 199.34.228.96, 443, 49766, 49767 WEEBLYUS United States 25->29 31 weebly.com 74.115.50.110, 443, 49778, 49779 WEEBLYUS United States 25->31 33 7 other IPs or domains 25->33

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.