Analysis Report Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Overview

General Information

Sample Name:	Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf
Analysis ID:	358572
MD5:	dbfaf169fa1ba4c2a4f321a57d06a9af
SHA1:	49602a3acf1bf4199e940fa7c2d6435e900b431c
SHA256:	5a53c07a8d9d58bdc22bc1ebae72d1a20d63803ffec3b28b667640928c45bd54
Infos:
Most interesting Screenshot:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Machine Learning detection for sample

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

Classification

Signatures

AV Detection:

Machine Learning detection for sample

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49786 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.0.0.0 80.0.0.0

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: msapplication.xml0.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x279990c6,0x01d70bb4</date><accdate>0x279990c6,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x279990c6,0x01d70bb4</date><accdate>0x279990c6,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x279e553b,0x01d70bb4</date><accdate>0x279e553b,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x279e553b,0x01d70bb4</date><accdate>0x279e553b,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x27a0b797,0x01d70bb4</date><accdate>0x27a0b797,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x27a0b797,0x01d70bb4</date><accdate>0x27a0b797,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: joom.ag

Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/1.0/l4XRg
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/_1
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a0
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a2
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a4
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a6
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148ac
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/00000000000000000001499c
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#R
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/(2
Source: msapplication.xml.18.dr	String found in binary or memory: http://www.amazon.com/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: http://www.dynaforms.com
Source: msapplication.xml1.18.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.18.dr	String found in binary or memory: http://www.live.com/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: msapplication.xml3.18.dr	String found in binary or memory: http://www.nytimes.com/
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: msapplication.xml4.18.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.18.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.18.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.18.dr	String found in binary or memory: http://www.youtube.com/
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000003.796965422.000000000B5D9000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/p
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/y
Source: AcroRd32.exe, 00000001.00000002.807459695.00000000092BE000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.807459695.00000000092BE000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: https://joom.ag
Source: {51AA8483-77A7-11EB-90EB-ECF4BBEA1588}.dat.18.dr	String found in binary or memory: https://joom.ag/9JYI
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://joom.ag/9JYI)
Source: {51AA8483-77A7-11EB-90EB-ECF4BBEA1588}.dat.18.dr	String found in binary or memory: https://joom.ag/9JYIRoot
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://joom.ag/ZJYI)
Source: AcroRd32.exe, 00000001.00000002.814287929.000000000B74A000.00000004.00000001.sdmp	String found in binary or memory: https://joom.ag1)
Source: AcroRd32.exe, 00000001.00000002.814287929.000000000B74A000.00000004.00000001.sdmp	String found in binary or memory: https://joom.agt
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://p.typekit.net/p.gif
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/1eef01/0000000000000000000148ac/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/3ba24d/0000000000000000000148a0/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/3d81f6/0000000000000000000148a2/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/42fca5/0000000000000000000148a4/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/bc719c/00000000000000000001499c/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/e0b8be/0000000000000000000148a6/23/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813000356.000000000B26F000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.pdfescape.com
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.pdfescape.com)/CreationDate(D:20210222193218
Source: AcroRd32.exe, 00000001.00000002.811601438.000000000A600000.00000004.00000001.sdmp	String found in binary or memory: https://www.pdfescape.com8g~_)
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.radpdf.com
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.radpdf.com)/Creator(PDFescape

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49786 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: sus22.winPDF@17/78@9/3

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/ZJYI
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/9JYI
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/9jyi
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/zjyi

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.7148

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R11o4zj2_ozzjta_5ik.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3943672393428629375 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3943672393428629375 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1360000876293854838 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=511033688939430806 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=511033688939430806 --renderer-client-id=4 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6159965884629463958 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6159965884629463958 --renderer-client-id=5 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://joom.ag/9JYI
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://joom.ag/9JYI	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3943672393428629375 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3943672393428629375 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1360000876293854838 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=511033688939430806 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=511033688939430806 --renderer-client-id=4 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6159965884629463958 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6159965884629463958 --renderer-client-id=5 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: PDF keyword /JS count = 0
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Data Obfuscation:

PDF has an OpenAction (likely to launch a dropper script)

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Initial sample: PDF keyword /OpenAction

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: AcroRd32.exe, 00000001.00000002.814062138.000000000B6B5000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Code function: 1_2_04F721D0 LdrInitializeThunk,

1_2_04F721D0

HIPS / PFW / Operating System Protection Evasion:

Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.0.0.0	unknown	United Kingdom		5089	NTLGB	false
209.95.50.27	unknown	United States		32780	HOSTINGSERVICES-INCUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
lb.joomag.com	209.95.50.27	true
joom.ag	209.95.50.27	true
www.joomag.com	unknown	unknown
use.typekit.net	unknown	unknown
p.typekit.net	unknown	unknown
js-agent.newrelic.com	unknown	unknown
bam-cell.nr-data.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://joom.ag/9JYI	true		unknown

AV Detection:

Machine Learning detection for sample

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49786 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.0.0.0 80.0.0.0

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: msapplication.xml0.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x279990c6,0x01d70bb4</date><accdate>0x279990c6,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x279990c6,0x01d70bb4</date><accdate>0x279990c6,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x279e553b,0x01d70bb4</date><accdate>0x279e553b,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x279e553b,0x01d70bb4</date><accdate>0x279e553b,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x27a0b797,0x01d70bb4</date><accdate>0x27a0b797,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.18.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x27a0b797,0x01d70bb4</date><accdate>0x27a0b797,0x01d70bb4</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: joom.ag

Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/1.0/l4XRg
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/_1
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a0
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a2
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a4
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148a6
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000148ac
Source: olb8zpk[1].js.19.dr	String found in binary or memory: http://typekit.com/eulas/00000000000000000001499c
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#R
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/(2
Source: msapplication.xml.18.dr	String found in binary or memory: http://www.amazon.com/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: http://www.dynaforms.com
Source: msapplication.xml1.18.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.18.dr	String found in binary or memory: http://www.live.com/
Source: AcroRd32.exe, 00000001.00000002.813954896.000000000B671000.00000004.00000001.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: msapplication.xml3.18.dr	String found in binary or memory: http://www.nytimes.com/
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000001.00000002.799506231.0000000007BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: msapplication.xml4.18.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.18.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.18.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.18.dr	String found in binary or memory: http://www.youtube.com/
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000003.796965422.000000000B5D9000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/p
Source: AcroRd32.exe, 00000001.00000002.813413074.000000000B4B5000.00000004.00000001.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/y
Source: AcroRd32.exe, 00000001.00000002.807459695.00000000092BE000.00000004.00000001.sdmp	String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000002.807459695.00000000092BE000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp	String found in binary or memory: https://joom.ag
Source: {51AA8483-77A7-11EB-90EB-ECF4BBEA1588}.dat.18.dr	String found in binary or memory: https://joom.ag/9JYI
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://joom.ag/9JYI)
Source: {51AA8483-77A7-11EB-90EB-ECF4BBEA1588}.dat.18.dr	String found in binary or memory: https://joom.ag/9JYIRoot
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://joom.ag/ZJYI)
Source: AcroRd32.exe, 00000001.00000002.814287929.000000000B74A000.00000004.00000001.sdmp	String found in binary or memory: https://joom.ag1)
Source: AcroRd32.exe, 00000001.00000002.814287929.000000000B74A000.00000004.00000001.sdmp	String found in binary or memory: https://joom.agt
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://p.typekit.net/p.gif
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/1eef01/0000000000000000000148ac/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/3ba24d/0000000000000000000148a0/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/3d81f6/0000000000000000000148a2/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/42fca5/0000000000000000000148a4/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/bc719c/00000000000000000001499c/23/
Source: olb8zpk[1].js.19.dr	String found in binary or memory: https://use.typekit.net/af/e0b8be/0000000000000000000148a6/23/
Source: AcroRd32.exe, 00000001.00000002.806311822.0000000008A8D000.00000002.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813000356.000000000B26F000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.pdfescape.com
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.pdfescape.com)/CreationDate(D:20210222193218
Source: AcroRd32.exe, 00000001.00000002.811601438.000000000A600000.00000004.00000001.sdmp	String found in binary or memory: https://www.pdfescape.com8g~_)
Source: AcroRd32.exe, 00000001.00000002.811679843.000000000A6B1000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000002.813758482.000000000B5B1000.00000004.00000001.sdmp, Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.radpdf.com
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	String found in binary or memory: https://www.radpdf.com)/Creator(PDFescape

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 209.95.50.27:443 -> 192.168.2.4:49786 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: sus22.winPDF@17/78@9/3

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/ZJYI
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/9JYI
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/9jyi
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: https://joom.ag/zjyi

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.7148

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R11o4zj2_ozzjta_5ik.tmp

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3943672393428629375 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3943672393428629375 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1360000876293854838 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=511033688939430806 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=511033688939430806 --renderer-client-id=4 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6159965884629463958 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6159965884629463958 --renderer-client-id=5 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://joom.ag/9JYI
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://joom.ag/9JYI	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3943672393428629375 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3943672393428629375 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=1360000876293854838 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=511033688939430806 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=511033688939430806 --renderer-client-id=4 --mojo-platform-channel-handle=1856 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1712,3132147786374165480,18202446835359099183,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=6159965884629463958 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6159965884629463958 --renderer-client-id=5 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2740 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: PDF keyword /JS count = 0
Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Data Obfuscation:

PDF has an OpenAction (likely to launch a dropper script)

Source: Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Initial sample: PDF keyword /OpenAction

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: AcroRd32.exe, 00000001.00000002.814062138.000000000B6B5000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Code function: 1_2_04F721D0 LdrInitializeThunk,

1_2_04F721D0

HIPS / PFW / Operating System Protection Evasion:

Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000002.798863955.00000000057F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	358572
Product:	CloudBasic
Start time:	21:21:41
Start date:	25.02.2021
Sample:	Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dbfaf169fa1ba4c2a4f321a57d06a9af
SHA1:	49602a3acf1bf4199e940fa7c2d6435e900b431c
SHA256:	5a53c07a8d9d58bdc22bc1ebae72d1a20d63803ffec3b28b667640928c45bd54
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0	data	EA82252C85CF65B1DE5205A215C14B88	C6CCE813536299C1C8807162F9EB0E28582F7216	D91DCF24BB4CB823BC16E1637C80471801CBD274999FD4E6472CE5D07C53E03E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0	data	1C798AEF9E49AE0DA938D5ACA698FF35	7AF2CD9048FAAA253A1F2E46CBBDEBBAF8F40665	7922F490EE022E5245C7D2EF00661CD3D637609905143B495C123DB4C9C5C501
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0	data	8F3D76D6B58DF71D566932890356E832	D06907192022648BB5D2BEE0144A880342BDAE5A	A1886F75BBB4FCE800ED5955A85B668D1E5292A59A89A5B06580D92811EBC81F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0	data	3927AF9F876AEA86471256D4ED25B14D	BF07EF978360648349346CE29D08491289904D50	58F549E1BD72FF6C0A19FAE81528D9F4A35613A8990DD89815EEFF750240CAC7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0	data	AD7E7BC95D56F0D3C804A24F5172A01E	7C23C8E17A9D94F50A0DED99189E7C1C5B4E42C9	AE800A55F398A047F708585BB1DAEEEC95F1F27E51924EC5A8192D0FEB6FCAB8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0	data	5637EA07C984203222AB908131B2075C	5DD061BE694953DEE5D0485884CC4FBA981CEABD	C72DEA99B4F5CBDFF790C28EC222A80AE7E8EAEACAF75EAA764C82B7BEA639C8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0	data	7AFE639E30EB9B83A244D9D80287068A	EC4CE5ECA05E7A24B97F28FA40B2A20E078085CC	1688513F9597377CB34CF30736560561D1C25FCABB5451096AF1963BCBC36F53
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0	data	8510850DD6FD537B926F957E8654D688	85EAD22C8354C15A106BFC6AD32155C164802D46	8958BC5F2EB7C3C3568D34898AE1769FB11DFB8728C1E4479A420C84FA55DC4E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0	data	D23F84B4EF4897D85EAA4FD12C082631	C25E6E7B45531633B73138741208AE814CA369EB	B5082E6C46F894BC918570DCCAA3BA25699A510E73A464E31321D7BD513FC0D6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0	data	0DCE83EF48AB3F8547CF524CD91922DD	5247AB22B0C3E515B08F8C8F067B6ED75502951F	B958F4A99579B4CFF048591D1E4CAC736BA550B35B0AE981F6357AAD3A425901
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0	data	262C665B20680099769D75777E0DC68C	90D1CFFEC116F94526E389E481D428931C47F814	063E846FB234FB13A2DA96ACB6DF24A8C6D15C29025B543CC422FA1587539A4B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0	data	CC100E0AC45238AC0614A3CDAE43F702	3CC688C1C9C55AFCF290FB0909231FAAE26E9C77	37F236FE7DAA5ED44217ACAC4356DD54AA8BED25F7BF862756A006DFC1C9F538
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0	data	EFF8255B817B917D52ECD6440BEABDB3	09E125271664BC5571043F1D74AE19F074053EC3	57AB402BFA3571A4403AA9C7026E54F197B979D4DC296B033F2C463D47384B22
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0	data	0AE309079C7178ECDBFEB27844EF8A3B	231502EF2695213637CF7889965D117DD87AC757	D0B6414989E7CD8467BF9917502C763F34A1BBCFCB93F732118EAD79895D201A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0	data	98CB58E46688CC77B696AF311AC7249E	A6CE5A2D1691971CBF7C20BF4FC43F62859A43D0	BCA1EFF33A666B256707B7E5B17A595FA5CCC6B4A9DCE00A7771011490CA0239
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0	data	3537D00BD24ABD54EA291A14CF9B2904	84C3D801A8E538454397D4BFB2321D087A106CEC	9391DF248801E348A84C524F8F562B22E9F500309D5AB23ED8421CE189CEB284
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0	data	2F9C35CD39268A486BD7EF725C2821E1	C25FFEF1601B5F06767710C21A03761D48BB9148	B94B349734D751108020FC8F4CE01F2BF2893E655B667B575B16E3446A15875D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0	data	3D73D83898FA351ADC2DE3C04D872DA1	B61D9D97B66B3A232DB45A5E76CDCB9A09BA52B3	407475D432143047539A89FAD7A4942E909F5A1C168044CA8A578E2CE98CDABB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0	data	DAC04D32755B802ECA3F87A641972254	183F35DE0F04C65E55B6A590922F00194812F11D	BEAEE857B99D05B616D759CD51CFA0BF97DDA4C51AEE26890DA08F43EE96E1E8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0	data	FE35140F89E38785890B67A9E8F52D40	FB36A9C9D9474E2128CCDBA43F7E8A0B3832F298	67DFD5F8FAAC850A18D215BE2256D8105632D554E6F065DFCA8E7273B7087780
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0	data	26FB0E0C092878209693BCEDF039114A	B78A4C3E69E884FED8409BF3A71EBF7F4F890FF5	A34B9036B20B999405F036ED67822FA0796B54B274AC605CC1DCD98B1C24B4D7
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0	data	B53C99E5B707ADDAC52A413A3E6A4F56	11ED18438A61E0B258043010DBAEF9EB2AEC6602	EB285690FBD8CF87E143CEB49CA3FFC4212AE927E0147AE6DB77B0FA0061012C
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0	data	7F1DF2D2A8A4EA77A1520B774345F34F	218C554E6A21C5D68E007CE2A592F33674BFAB08	C97852876E469B3509F4F5BF17BE558A6973694AD974BCEBB17809484CAEB0F2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0	data	9A54853F0BD409A96A1D7F72B00D23D8	3992B2A856991DF8D078AF74F202BA422D2E4087	6D78B86E4255B14BB43F6307B38173EEF0D616C8F38AD83313BB4496119E004F
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0	data	DAED9BC662359B42612BF06F10E7A456	39FE068B162EAE4E5C7029754B6A8BFB49C50FC7	CC898C0FA2B6CFE76A8ECAA9E97DA36420968B318B64EFD41D493180C54AC424
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0	data	5429EEE0028657613EE4D924C74E1795	28DA7018EC55FDD5F44674EAF52D26A67CF0BF67	8260E13AFA617A26A872FB08BD691C0F714822FA18883A98E173F48A4D1C360E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0	data	F49CDC8A626DB2E7F225CE60328D23FE	49B224729753CD97383FA2422FE347088751F6FA	345D987B60CE8CFAB179DA8CF9355FB6C4690FA19A1590A9D745349468AB55AB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0	data	FB9EFFC776624033596C3EF311595B3C	5DC26748DE81F954224B485CC82D90EA0EBC05E7	ECA258CA351A5EB948F80F2DB868353AAEB560A247EDB979CF1E3C606B1770CB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0	data	A84AE9B4B282B974F0FA56D8B91C2A20	AAFEF218364322197ACD884D54F33F0F2847F798	52E0B2367F3183E1375AC3EECF2DC5CB83B4914A8B39DFAF7476B0E19D230DCB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0	data	E46C6E9C6FC9085C301AB40FB5FC2C8E	49D7E273FF2DED44056CEAEA4C5A4EE7FACDE321	5DD4B8F315C49A20A3F96BBFA8A440CB5B12F7525BE373467B1B15F1E3B913F9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0	data	AC9D82C6AD322EDC35C084FF3497E63D	298F4009DDAD5F9ED05870F24BD0D581CE472BE5	590A5131E8E4F20D4F7AF3B111DA26B84012237D4C5C15F62DE0E55035266702
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0	data	D10CA7A25A8E64C94A047CC8FB042459	B81CCE37F331EFE6D722476BADFC3C6C97AD10F4	82762CCDF19EB745023F54CB430F7486A1CE6E7F437B9BF508E518BBC71E0394
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0	data	0ACC0950A37DCC881208E547E36A7DB6	853C5D4DAB28944E9C0ED951731222BD5A768709	2EB1F641116F19A3EA1033DDD97B30C94CC23CAA571DB4ED792D13201B6BDE55
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0	data	65EA1ED192944A70AFB304E088566A63	D9A81151B48D97325CD3C22B4D9080A825E3142E	23425AEFE02FF0C0A8157FD26521D6430266172DB96DA1AD45F21400BF6D384E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0	data	881218A82894A12972B7F0F113A44CD1	049A030B5C3BC3B5F8FFEF2D26539E8C31DC4DCE	5AAFACE5A495E0034E1F12906E2A36DF6D0F4A6A890691010EA7F27CDF671F2B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0	data	AEE7429194944A6C94E41B54E8067E1A	C10EAAF7077B0EE9857F4C7A64A0C35E08455A3C	DD3D6A82CF9F44A81B312E5025D67D9590B341BD4F99CCE0A227CAA352881C94
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0	data	EB9B4AD4C76C7506F4653E72003F5D43	9DE993086D73F2656407AB3D54889642273D0C09	7E66985441E180AA2A70B13BFB22A6A526ED3DA3E7DF1FDDC5019D731FC0A556
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0	data	AEEEC756FC7C1C2ADB4D86B9614EC9D9	F632BDECB555D646CC59022C59F613466384C98F	EBB3EA22F73330DD0E486BB2E4B823B9C22FF896F4B21A80478ABEA0BF035407
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0	data	D6571748A3628B18911B896E0D3AB6B8	B8100E4E553FEB3858EB4A6DC946B20E82181613	821CD2911D172F848231F7147E18FE14ED35316DF3425515133B7120405E8FBA
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index	Maple help database	A2791B105B843216FDB9263DB10CBDBB	6F4584EB36A4A605E67BE7701B1CFDFA81B061B5	3EEF7B3C9EC6DBFC5DC57F080C40DD94E1C543DBF37B8711B36AA5886991DA19
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	B816BE5CA8C14F3FF9ED437ADF54F982	38287F875C90A46EABEAE26226D1891E2C184A5C	C70650773B0E3A36A437D30003E25140C6AE81FF936C0013BC78015C937ECA5D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	data	05C31564F5D129E37A363E150A042D4D	FA62CA0C75E503D2C5E83FE48A9846CD48FFF480	64044EF0EAA6C2CCA1F6D5E32B8C1AD305D642A8AF7F91C89CACC2BF8642C5D1
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-210225202231Z-228.bmp	PC bitmap, Windows 3.x format, 164 x -126 x 32	088F002575E642485EB00A40EF9B3316	6AF76A0F6AAF97C78DDAD8903E8A4270F8926F7B	84ABE3396DD1F1E40B0D25CA697A427500AE5F505A03AF3AE10B5FEE78471502
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3024000	C589ED87E78BBE1487525EBC0F6D5EC7	70E1E78E053B8EEB8BEC4DBEA13C73C6EB5CCE76	15D0126CDE2794F255E2D3DF194497EB17C74FA9BDF47F0A08BCCE91A2932BE6
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	data	18C149BF0B2A70A94B8B211CF070FF93	A51EF4266AD8C556446B2F0B9E31CD04F0DC97A7	1DE2E4DE3D3B9CA886095CBE45F76582E13F03F8387FC49D6AF61C78033DFA02
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.7148	PostScript document text	159ACCAFBA209FBC642499809CE2B513	6D94F57B63CE3BE71EDFB081ECB848B7D06EB2BE	ACE286E29DFDB19080E514F3447F46E0E4ED658263AC209A9B4BBCECC36139D3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.7148	PostScript document text	63B24EA3A13EAC476D6309BB202EF459	89502C393549C20C933E4553F51F74F3DBE085EF	2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin	data	087C0FA445D1E6F7C6C8885CA6E650D4	B9599D8DC4340AF970263290E28BC1294E58C6EC	083FE4D59BB6FD1C9A2A47FE6A264DA99F945826A3AD0D30D6298A9058584FFD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\E5F0NRSV\joom[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{51AA8481-77A7-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	25769EE3B5C2860E1CBCD0C8DAF733E3	66E5A062CE8B48C6650B82C02A09F98FF9127637	64B67EE5D3D9840EFB912F4F9742BBC791F3FB42A7800A279643D3BDE9687AA7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{51AA8483-77A7-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	FC0F51E8BD25F4BA0124AF7FE3F4618B	2E50CDDC363B037DAAE5EE618DE5B9B4ABCE040E	1C413CFC0765B60D12BF8B576DF380F0569B153A55E8621D5D0B9C77717F25CC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{51AA8484-77A7-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	BE97B66AD40C37147E651521C987A0E5	F75F8118421FC93455FAEA368455319C0B8BD3A6	4304BEADFD493AD5834D5280BD337CA0C1C35CFF909962BA132FEBCEF241073A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D95AFE167E476A526F393A7783B61F99	5808B5943F9B227DA86682355C35C35320339CEB	8E1879CE38AA3F85C0E292F813CC37777681A944F0D21FD737CB905A088703FC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	950C05232AE113DBE1D3AFB58292D66B	18D5D61970EEF5E02B6FFB4998EBCBC42DBE1052	EEF0C3E38A6545B3444D7C6B3EF7FE03F6E98979EC1F73F9D0048F611C7D475F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	893737C2BAE8FEE61D25DF55BDC22CE1	7185D065D6EC82F40BD62F481357F95F13EEF771	59CF29F3D8139A9FBF2199CC86BE8135CCECC3A98192DD55A88B23B1FA887783
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B08C5DB1DAE1CF8276038922164EBBBC	18C1BA9BFAE52CA7C7E92D6A496F2B97884D2E28	211AF6E47D3EFA083DF6EC3CB429A56682626E3B4324231F2719C6DBBAD641C1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A95B8E22C2080D830C7324A1D5623418	5EB08D6A6AABDDB5E30CA2FE3D7534EF82362A84	9D97CBB3169DED7A0E9FE5BFFD25CF6636FBE7A40649BC2FA323F6B43978CEDE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3AC8BAD85ED413A145E19109F07BBDC0	CA41AD1A48A6B0BF6870B76C370D06CEB132F684	7D5D63B472973495EFB340C6AB57A4FF1F0214A654EE6D4D052CF055C1D87C4B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C5B50AD1A00891B492508AA71331F545	848AE0C6C5E839FC43833471CC61723CF1F53215	5B43A0344F3EBBA68EA3B643B352D563454902CF31EC739EF1994D7D595D4E78
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FC6084D56E65A9E0212AD0608EAE1BAB	3473A1FE135B74BEFC6BEBA9F1FAF6C06109C925	FD494EC032F8488712F58C18FD810A3FDC4EAB99B58C880D2E58E5A4B2DEBDC3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	47FBB07EABF6B3505DFD25CF26E2C654	21F86B149D0D7B84224432B94DC8D1A82AD001FF	BAB6F186A0C30A0B7F20802CC8B3651337B023779DBF6D3C591693259933ADB8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\d[1]	Web Open Font Format, TrueType, length 61728, version 0.0	C30498C311ECC433CB7CD23D32159AFC	F442B2B9EAAEE7FF71F57EBAA58734B4724FAC6A	9F46E13E2EC896C2461E4C55C7393A69F7E70D85276544AC2693C42F3BC1DC89
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\olb8zpk[1].js	UTF-8 Unicode text, with very long lines	5076E0879850567ED8A5CE8D65F00DFD	1733D25CAF88876D3F6B44BFD04751E02AA717E3	B7F0115AFBD3505857C7A7515CBDFD9B595A750B8A0C576DB45992C2F87C0355
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\p[1].gif	GIF image data, version 89a, 1 x 1	81144D75B3E69E9AA2FA3E9D83A64D03	F0FBC60B50EDF5B2A0B76E0AA0537B76BF346FFC	9B9265C69A5CC295D1AB0D04E0273B3677DB1A6216CE2CCF4EFC8C277ED84B39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\cross[1].svg	SVG Scalable Vector Graphics image	F58C57A574CCBB57D3ED79287B15BB59	232F3A24D02702188271B82D19FD709C83469E9D	16F56634D8828B7755CAF0475663AF4060B9700BA20A75B9856ACC7DD76413E2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\e2270d116b[1].js	ASCII text, with no line terminators	06DD80AEB628C60DC680BC7A4BEE6651	8C86EB7DDFF5E1E5D527BD7A41C9D3F6767E23E0	5E864C2E3F674C60970513411EAEEEAFD2D615D842E65EC01D09CCFCB4A7B38D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\joomag.responsive[1].css	ASCII text, with very long lines, with no line terminators	ABDB67CF175491FCAFD4BB225D6540A9	D1D1FA2E31CE80126887B619C0136A69275B3E79	DDCD972A29BC1A2552A9D740B324F8B4B8B4EEE22505E5C4D0D701ECDC5BC202
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\d[1]	Web Open Font Format, TrueType, length 58272, version 0.0	25EB786C99DB8F58DF013C81F8F14C0D	83FDDE6AC8D51CAD2BDF8C33813FEE6BA34002A7	054E8C55D84A3EBFF0722AB57AB4A00BB60736DCFF97B81401019D714FFAF688
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\d[2]	Web Open Font Format, TrueType, length 55916, version 0.0	642BF1228C9D1BCF62992C08DF8A92B8	05DA82C550C25254ACA29DAD238EABCFC149BF9C	036F00B2C16BD1CA74B5384DE15D04214CC005A4476BF4A6291AD29D39885BAF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\d[3]	Web Open Font Format, TrueType, length 59940, version 0.0	3AEB74FE14E1ACCAE157879343062A13	7A736AD47EE70212EEB9CD4179826F9CB8D55781	E3E487D6036BB95CCD6D97CA641B5FA6ED85FF93E11A5649C72534AF0DD272C3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\d[4]	Web Open Font Format, TrueType, length 60240, version 0.0	1E15B536F74EF394FCEC8470F8D64323	50942FD78ECBA94C12DA7E63866585B26CED24C5	4A4E9A7F3425D3D460A9FFC77A56391B62AF222391DB604B5924D90637549204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\d[5]	Web Open Font Format, TrueType, length 61612, version 0.0	D26D2BAB4625361DA030917B4FA4CBF0	972FF9E8DF21F1CAE4B0ABA7C36577A72E18CD8A	5F8EE1622F6CDD2E3B343DB9BC25A58053C24959A7D72242E783ABD6C65A9070
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\fonts[1].css	ASCII text	C05ACE645F780FF960B1B7B7A8B21C43	D25960DAED67DB0FF23ABB0DA084E3BD356C45E7	94A5843CF3E664CD2087A484200389FC08A4FA465C0BA3CF5B29430371A905E7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\limitedAccessPages[1].css	ASCII text, with very long lines, with no line terminators	62E4648D1FA23E754FF92CA7B04DA2D8	878C7426B5976FE905E9F448307051B01C3598CF	F91AF90E07ECDFC8E4908A0FFF3C379B97A295AD5BF56A0236898D5C5795391D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\nr-1198.min[1].js	ASCII text, with very long lines, with no line terminators	59C98195BA35E0B45CBE2E5BEEBD1AC8	BB1DD82667456B0B608750BBF8D2871A018535B0	39893061747F88B837A34D0395D05FCA83E7CD5BBF2D582D181A73C5C9A174C6
C:\Users\user\AppData\Local\Temp\~DF5B4354179DD05C79.TMP	data	D286EFF91CCF1D364AC36926189BC35B	48EC01428E7EAF74CB536AFBFA5819E9691F9BF8	8240BABF62CE3D63B03819229E19B3C071FADA1AE7AA10F3C17CEC38E2102B43
C:\Users\user\AppData\Local\Temp\~DFC49E28F8A7C615D6.TMP	data	C77CD83D641CC3147C2B7AD9955D041A	EC6DEB6408CD86B436E9AA37A8809C86838DAACA	6D2D960FFC45D33E0D9CDD621AE1457CA9F30D29AF90D537BF18A0F38F7771D4
C:\Users\user\AppData\Local\Temp\~DFE5BD3A345DA22996.TMP	data	DD88BBD02F78022B071C53C57E054C58	EFEDFCD805A18A5FD5CFA3A0383CA5D4BE8133E9	A75EE113E64A7B431EFD5D38FB306538BB74A2E333BC7B5F851D7135BB6A06A1

Analysis Report Send-Data-City_Center_Waco_Project_Report-_#9073955_942 (1).pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs