Analysis Report SECOURS SANITAIRE DU COVID-19.pdf

Overview

General Information

Sample Name: SECOURS SANITAIRE DU COVID-19.pdf
Analysis ID: 402635
MD5: b01d94c5b33ce94af13c7fbee0138aeb
SHA1: 0a25677fb92664a60185d89a90cfc5cc7e13ffa7
SHA256: f2a75542290d06da46436424170490e7d0ca564c7bcccaec4c989dacc5d1af05
Infos:

Most interesting Screenshot:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device

Classification

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.0.0.0 80.0.0.0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/1.0/
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/P
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/x
Source: SECOURS SANITAIRE DU COVID-19.pdf String found in binary or memory: http://neevia.com
Source: AcroRd32.exe, 00000003.00000002.864216335.0000000008C8A000.00000004.00000001.sdmp String found in binary or memory: http://neevia.com)
Source: AcroRd32.exe, 00000003.00000002.875085260.000000000ABDF000.00000004.00000001.sdmp String found in binary or memory: http://neevia.com)d
Source: AcroRd32.exe, 00000003.00000002.877800487.000000000C945000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/4U
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/P
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: AcroRd32.exe, 00000003.00000002.877800487.000000000C945000.00000004.00000001.sdmp String found in binary or memory: http://wwobe.com/go/ipmrh?F
Source: AcroRd32.exe, 00000003.00000002.877800487.000000000C945000.00000004.00000001.sdmp String found in binary or memory: http://www.a.com/go/cpdfrhpr
Source: AcroRd32.exe, 00000003.00000002.877604078.000000000C88C000.00000004.00000001.sdmp String found in binary or memory: http://www.adobe.c
Source: AcroRd32.exe, 00000003.00000002.877604078.000000000C88C000.00000004.00000001.sdmp String found in binary or memory: http://www.adobe.co/ep
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/x
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/youtsN
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#4
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#4)
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/0
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#ayout
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#omponent
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000003.00000002.874799493.000000000AA87000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/C
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exe, 00000003.00000002.859807713.0000000007540000.00000002.00000001.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000003.00000002.875024481.000000000ABD0000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000003.00000002.875024481.000000000ABD0000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/%
Source: AcroRd32.exe, 00000003.00000002.875024481.000000000ABD0000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/11_
Source: AcroRd32.exe, 00000003.00000002.875024481.000000000ABD0000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/:00
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload//;w
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/Cu
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/awo
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/ed
Source: AcroRd32.exe, 00000003.00000002.875293664.000000000AC3B000.00000004.00000001.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/rs%w
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.aadrm.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.cortana.ai
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp String found in binary or memory: https://api.echosign.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.office.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.onedrive.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://augloop.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://augloop.office.com/v2
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cdn.entity.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://clients.config.office.net/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://config.edge.skype.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cortana.ai
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cortana.ai/api
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://cr.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dev.cortana.ai
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://devnull.onenote.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://directory.services.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://graph.windows.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://graph.windows.net/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: AcroRd32.exe, 00000003.00000002.863743684.0000000008C10000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://lifecycle.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://login.windows.local
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://management.azure.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://management.azure.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://messaging.office.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ncus.contentsync.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://officeapps.live.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://onedrive.live.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://outlook.office.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://outlook.office365.com/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://powerlift.acompli.net
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://settings.outlook.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://staging.cortana.ai
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://tasks.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://webshell.suite.office.com
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://wus2.contentsync.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: AcroRd32.exe, 00000003.00000002.862086846.00000000083FD000.00000002.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: 812A11FD-8CE3-4974-9DD1-7CD9EF661355.19.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: classification engine Classification label: clean1.winPDF@14/50@0/2
Source: SECOURS SANITAIRE DU COVID-19.pdf Initial sample: http://neevia.com\
Source: SECOURS SANITAIRE DU COVID-19.pdf Initial sample: mailto:europeenne.banque.centrale@protonmail.com
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R14pat99_q1v9cu_5iw.tmp Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\SECOURS SANITAIRE DU COVID-19.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\SECOURS SANITAIRE DU COVID-19.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1248215810438557703 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1248215810438557703 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=8616662721456202722 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=13245651749807582994 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13245651749807582994 --renderer-client-id=4 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14006470410429743815 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14006470410429743815 --renderer-client-id=5 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job /prefetch:1
Source: unknown Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe' -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\SECOURS SANITAIRE DU COVID-19.pdf' Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1248215810438557703 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1248215810438557703 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=8616662721456202722 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=13245651749807582994 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13245651749807582994 --renderer-client-id=4 --mojo-platform-channel-handle=1860 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1736,10090636952361594307,9260773660448689587,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=14006470410429743815 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14006470410429743815 --renderer-client-id=5 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File opened: C:\Windows\SysWOW64\Msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Key opened: \REGISTRY\A\{f6a40ca4-9fbc-003b-7bb0-6b4c0b73aba8}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office Test\Special\PerfImm Jump to behavior
Source: SECOURS SANITAIRE DU COVID-19.pdf Initial sample: PDF keyword /JS count = 0
Source: SECOURS SANITAIRE DU COVID-19.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: SECOURS SANITAIRE DU COVID-19.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: AcroRd32.exe, 00000003.00000002.877743426.000000000C916000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Code function: 3_2_045E8050 LdrInitializeThunk, 3_2_045E8050
Source: AcroRd32.exe, 00000003.00000002.857305342.0000000005240000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: AcroRd32.exe, 00000003.00000002.857305342.0000000005240000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000003.00000002.857305342.0000000005240000.00000002.00000001.sdmp Binary or memory string: Progman
Source: AcroRd32.exe, 00000003.00000002.857305342.0000000005240000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\en-us\officons.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\en-us\officons.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\en-us\officons.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.22055.0_x64__8wekyb3d8bbwe\HxOutlook.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 402635 Sample: SECOURS SANITAIRE DU COVID-19.pdf Startdate: 03/05/2021 Architecture: WINDOWS Score: 1 6 AcroRd32.exe 15 43 2->6         started        8 HxOutlook.exe 501 30 2->8         started        process3 10 RdrCEF.exe 54 6->10         started        13 AcroRd32.exe 9 7 6->13         started        dnsIp4 24 192.168.2.1 unknown unknown 10->24 15 RdrCEF.exe 10->15         started        18 RdrCEF.exe 10->18         started        20 RdrCEF.exe 10->20         started        22 RdrCEF.exe 10->22         started        process5 dnsIp6 26 80.0.0.0 NTLGB United Kingdom 15->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.0.0.0
unknown United Kingdom
5089 NTLGB false

Private

IP
192.168.2.1