Loading ...

Play interactive tourEdit tour

Windows Analysis Report Next_Caller#U2019s_Fraud___COVID-19_Report_(Week_6-9).pdf

Overview

General Information

Sample Name:Next_Caller#U2019s_Fraud___COVID-19_Report_(Week_6-9).pdf
Analysis ID:438190
MD5:5cf5e5cf2ac5f1eba159d03842f9e7c9
SHA1:80e72b48c3c441900152ce45fcec3bb552ef1734
SHA256:c8471fe72419ed8c0c39cc5750e77cb9df3a1b4532f5a3117441755eb55d52cf
Infos:

Most interesting Screenshot:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Connects to many IPs within the same subnet mask (likely port scanning)
Connects to many different domains
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

  • System is w10x64
  • AcroRd32.exe (PID: 3732 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\Next_Caller#U2019s_Fraud___COVID-19_Report_(Week_6-9).pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • AcroRd32.exe (PID: 5800 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\Next_Caller#U2019s_Fraud___COVID-19_Report_(Week_6-9).pdf' MD5: B969CF0C7B2C443A99034881E8C8740A)
    • RdrCEF.exe (PID: 6092 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6124 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1724,16295595289360813689,5938817010962337207,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=4566866485235901199 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4566866485235901199 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 4280 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --field-trial-handle=1724,16295595289360813689,5938817010962337207,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --service-request-channel-token=4840204308889134431 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 6140 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1724,16295595289360813689,5938817010962337207,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1176352946696311653 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1176352946696311653 --renderer-client-id=4 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 204 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1724,16295595289360813689,5938817010962337207,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12598703654215652762 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12598703654215652762 --renderer-client-id=5 --mojo-platform-channel-handle=1852 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • RdrCEF.exe (PID: 3728 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --touch-events=enabled --field-trial-handle=1724,16295595289360813689,5938817010962337207,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1641267038983245055 --lang=en-US --disable-pack-loading --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.12.20035 Chrome/80.0.0.0' --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1641267038983245055 --renderer-client-id=6 --mojo-platform-channel-handle=2020 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
    • chrome.exe (PID: 5048 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'https://nextcaller.com/blog/next-callers-fraud-covid-19-report-week-4-5/' MD5: C139654B5C1438A95B321BB01AD63EF6)
      • chrome.exe (PID: 3476 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,4170625765879668992,9549381529543342162,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1796 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
      • chrome.exe (PID: 1540 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1548,4170625765879668992,9549381529543342162,131072 --lang=en-US --service-sandbox-type=audio --enable-audio-service-sandbox --mojo-platform-channel-handle=6240 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
      • chrome.exe (PID: 5564 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1548,4170625765879668992,9549381529543342162,131072 --lang=en-US --service-sandbox-type=video_capture --enable-audio-service-sandbox --mojo-platform-channel-handle=4768 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: Number of links: 0
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: Number of links: 0
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: Title: Headsup does not match URL
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: Title: Headsup does not match URL
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: No <meta name="author".. found
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: No <meta name="author".. found
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: No <meta name="copyright".. found
Source: https://api.autopilothq.com/anywhere/headsup/a226a61269bd46b49f99013b66ec690049378a691ede444f85200277cfa83809/nextcaller_proactive_headsup_message_1521830115721-ee10b790-2ec8-11e8-b337-816ab6656d34/1624378102853/https%3A%2F%2Fnextcaller.com%2FHTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49767 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49768 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.210.44.111:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49798 version: TLS 1.2
Source: unknownHTTPS traffic detected: 198.61.165.71:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.94.218.138:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknownHTTPS traffic detected: 94.31.29.64:443 -> 192.168.2.3:49805 version: TLS 1.2
Source: unknownHTTPS traffic detected: 35.244.174.68:443 -> 192.168.2.3:49809 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.3:49807 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.210.44.111:443 -> 192.168.2.3:49808 version: TLS 1.2
Source: unknownHTTPS traffic detected: 50.16.7.188:443 -> 192.168.2.3:49801 version: TLS 1.2
Source: unknownHTTPS traffic detected: 198.61.165.71:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknownHTTPS traffic detected: 143.204.98.23:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49820 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49821 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49823 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49824 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.215.95.219:443 -> 192.168.2.3:49825 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.85.240.191:443 -> 192.168.2.3:49826 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.211.164.153:443 -> 192.168.2.3:49827 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.114.208:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.210.44.111:443 -> 192.168.2.3:49928 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.212.91.150:443 -> 192.168.2.3:49939 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.245.244.116:443 -> 192.168.2.3:49944 version: TLS 1.2
Source: unknownHTTPS traffic detected: 34.245.244.116:443 -> 192.168.2.3:49943 version: TLS 1.2
Source: unknownHTTPS traffic detected: 37.252.173.62:443 -> 192.168.2.3:49956 version: TLS 1.2
Source: unknownHTTPS traffic detected: 35.158.179.12:443 -> 192.168.2.3:49960 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.222.177.102:443 -> 192.168.2.3:49952 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.30.7.71:443 -> 192.168.2.3:49966 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49968 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49970 version: TLS 1.2
Source: unknownHTTPS traffic detected: 18.215.95.219:443 -> 192.168.2.3:49981 version: TLS 1.2
Source: unknownHTTPS traffic detected: 54.85.240.191:443 -> 192.168.2.3:49982 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49984 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.253.41.115:443 -> 192.168.2.3:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.0.73.2:443 -> 192.168.2.3:50005 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.0.77.2:443 -> 192.168.2.3:50008 version: TLS 1.2
Source: global trafficDNS query: name: nextcaller.com
Source: global trafficTCP traffic: 192.168.2.3:49704 -> 131.253.33.200:443
Source: global trafficTCP traffic: 192.168.2.3:49704 -> 131.253.33.200:443
Source: chrome.exeMemory has grown: Private usage: 0MB later: 25MB

Networking:

barindex
Connects to many IPs within the same subnet mask (likely port scanning)Show sources
Source: global trafficTCP traffic: Count: 10 IPs: 143.204.98.18,143.204.98.119,143.204.98.9,143.204.98.70,143.204.98.23,143.204.98.104,143.204.98.76,143.204.98.32,143.204.98.2,143.204.98.59
Source: unknownNetwork traffic detected: DNS query count 52
Source: Joe Sandbox ViewIP Address: 50.16.7.188 50.16.7.188
Source: Joe Sandbox ViewJA3 fingerprint: b32309a26951912be7dba376398abc3b
Source: Joe Sandbox ViewJA3 fingerprint: 74ad8ec6876e2e3366bfd566581ca7e8
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownTCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknownDNS traffic detected: queries for: nextcaller.com
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://cipa.jp/exif/1.0/15)
Source: EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D0.30.drString found in binary or memory: http://crl.godaddy.com/repository/0
Source: 223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B17710.30.drString found in binary or memory: http://crl.godaddy.com/repository/gdroot-g2.crl0J
Source: EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D0.30.drString found in binary or memory: http://crl.godaddy.com/repository/gdroot.crl0J
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.30.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/S;
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/h
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/O;
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: 223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771.30.drString found in binary or memory: http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLb
Source: EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D.30.drString found in binary or memory: http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2H
Source: AcroRd32.exe, 00000001.00000000.413337963.000000000AD33000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000000.413367493.000000000AD39000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFL
Source: AcroRd32.exe, 00000001.00000000.413185306.000000000AD1F000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFLAleoRegularWebfont
Source: AcroRd32.exe, 00000001.00000000.413367493.000000000AD39000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000000.419741063.000000000C49C000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFLCopyright
Source: AcroRd32.exe, 00000001.00000000.413337963.000000000AD33000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000000.413367493.000000000AD39000.00000004.00000001.sdmp, AcroRd32.exe, 00000001.00000000.413311019.000000000AD2F000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFLWebfont
Source: AcroRd32.exe, 00000001.00000000.425125521.000000000D167000.00000004.00000001.sdmpString found in binary or memory: http://www.adobe.c
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/C
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000000.420556576.000000000C766000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/type#;
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000000.400379098.000000000824D000.00000002.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000000.414000269.000000000ADEB000.00000004.00000001.sdmpString found in binary or memory: http://www.npes.org/pdfx/ns/id/k
Source: AcroRd32.exe, 00000001.00000000.393454888.0000000007390000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exe, 00000001.00000000.393454888.0000000007390000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exe, 00000001.00000000.393454888.0000000007390000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exe, 00000001.00000000.393454888.0000000007390000.00000002.00000001.sdmpString found in binary or memory: http://www.osmf.org/