Windows Analysis Report
View Shared File.pdf

Overview

General Information

Sample Name: View Shared File.pdf
Analysis ID: 634965
MD5: 0a2fecc6ab069dd0c654b702b8f4d3fd
SHA1: 7f1092ab0289b76ab0f1c30deacbfa67a656253e
SHA256: 4fab88614d666873895c79011f4aa5c7642bf3ba91f5b0a8fe67b059e676767e
Infos:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish10
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
No HTML title found
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Suspicious form URL found
IP address seen in connection with other malware
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Form action URLs do not match main URL
Potential document exploit detected (performs HTTP gets)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html SlashNext: Label: Credential Stealing type: Phishing & Social Engineering

Phishing
barindex
Yara detected HtmlPhish10
Source: Yara match File source: 62445.1.pages.csv, type: HTML
Source: Yara match File source: 38924.3.pages.csv, type: HTML
Source: Yara match File source: 96408.4.pages.csv, type: HTML
Source: Yara match File source: 57468.5.pages.csv, type: HTML
Source: Yara match File source: 75415.6.pages.csv, type: HTML
Source: Yara match File source: 96768.7.pages.csv, type: HTML
Source: Yara match File source: 24196.8.pages.csv, type: HTML
Source: Yara match File source: 06026.9.pages.csv, type: HTML
No HTML title found
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: HTML title missing
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=bg HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=cs HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=da HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=de HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=el HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=es HTTP Parser: HTML title missing
Source: https://webmail.serendahsteel.com/?locale=es_419 HTTP Parser: HTML title missing
Suspicious form URL found
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: Form action: https://www.laureltowingservice.com/wp-includes/css/cpanel.SharePoint_documentOnline/sign.php
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: Form action: https://www.laureltowingservice.com/wp-includes/css/cpanel.SharePoint_documentOnline/sign.php
Form action URLs do not match main URL
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: Form action: https://www.laureltowingservice.com/wp-includes/css/cpanel.SharePoint_documentOnline/sign.php arthurperush laureltowingservice
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: Form action: https://www.laureltowingservice.com/wp-includes/css/cpanel.SharePoint_documentOnline/sign.php arthurperush laureltowingservice
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: No <meta name="author".. found
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=bg HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=cs HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=da HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=de HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=el HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=es HTTP Parser: No <meta name="author".. found
Source: https://webmail.serendahsteel.com/?locale=es_419 HTTP Parser: No <meta name="author".. found
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: No <meta name="copyright".. found
Source: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=en HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=ar HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=bg HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=cs HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=da HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=de HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=el HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=es HTTP Parser: No <meta name="copyright".. found
Source: https://webmail.serendahsteel.com/?locale=es_419 HTTP Parser: No <meta name="copyright".. found
Source: unknown HTTPS traffic detected: 151.101.112.193:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.9.144.117:443 -> 192.168.2.3:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.9.144.117:443 -> 192.168.2.3:49848 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecoveryCRX.crx Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\_metadata\verified_contents.json Jump to behavior
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 00000027.00000002.656555799.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe, 00000027.00000000.655835057.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe.38.dr
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 00000027.00000002.656555799.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe, 00000027.00000000.655835057.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe.38.dr
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000598C3 FindFirstFileExW, 39_2_000598C3
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bpkbsaya.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49809 -> 142.250.203.109:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49809 -> 142.250.203.109:443
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 151.101.112.193 151.101.112.193
Source: Joe Sandbox View IP Address: 151.101.112.193 151.101.112.193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveX-Powered-By: PHP/7.2.34Content-Type: text/html; charset=UTF-8Content-Length: 134Content-Encoding: gzipVary: Accept-EncodingDate: Fri, 27 May 2022 05:41:04 GMTServer: LiteSpeedX-Powered-By: PleskLinData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d cd 31 0e c2 30 0c 00 c0 bd 52 fe c0 d6 2d d9 a1 45 fc 80 4a 3c a0 b2 5c 2b 31 4a ec 28 71 e8 f7 19 60 bd e5 96 8e 8d ab 5d 32 48 1c 10 69 7d c3 07 7e 76 77 93 9b 4e 96 43 4f 9f 15 c1 58 65 9d 93 59 ed d7 10 1e d0 2c 8d 56 a9 8d 9e 3c 6a 09 d8 7b c0 0d 84 b2 7f 25 68 b4 29 8b ed 87 e2 28 24 f6 94 cc 42 21 6b 64 f1 c9 4a 9e 6f 6e 5a c2 bf fa 02 21 32 42 c3 87 00 00 00 Data Ascii: -10R-EJ<\+1J(q`]2Hi}~vwNCOXeY,V<j{%h)($B!kdJonZ!2B
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/)
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cipa.jp/exif/1.0/1.0/
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ChromeRecovery.exe.38.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: pnacl_public_x86_64_pnacl_llc_nexe.34.dr, pnacl_public_x86_64_pnacl_sz_nexe.34.dr String found in binary or memory: http://llvm.org/):
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://ocsp.digicert.com0
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: History Provider Cache.34.dr String found in binary or memory: http://v2.bpkbsaya.com/wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.php2
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#8
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/property#x(
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000000.435712945.000000000AD3B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/i
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aiim.org/pdfe/ns/id/l
Source: elevation_service.exe, 00000026.00000003.653645575.0000020D35DB3000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.655915187.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.653690573.0000020D35DAB000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654653186.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, elevation_service.exe, 00000026.00000003.654187218.0000020D35DAE000.00000004.00000020.00020000.00000000.sdmp, ChromeRecovery.exe.38.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.npes.org/pdfx/ns/id/6
Source: AcroRd32.exe, 00000001.00000000.414727824.000000000A2A2000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pdf-tools.com)
Source: AcroRd32.exe, 00000001.00000000.398203996.0000000008F6F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000000.435764186.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000000.435863491.000000000AE08000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000000.435863491.000000000AE08000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/U
Source: AcroRd32.exe, 00000001.00000000.435863491.000000000AE08000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/w
Source: AcroRd32.exe, 00000001.00000000.435764186.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/iew
Source: AcroRd32.exe, 00000001.00000000.435764186.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/rsi
Source: AcroRd32.exe, 00000001.00000000.435764186.000000000ADAB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/ut
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.34.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.echosign.comA
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://apis.google.com
Source: History Provider Cache.34.dr String found in binary or memory: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html2
Source: pnacl_public_x86_64_crtbegin_for_eh_o.34.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_crtbegin_for_eh_o.34.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json1.34.dr, manifest.json0.34.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: pnacl_public_x86_64_ld_nexe.34.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.34.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr String found in binary or memory: https://content-autofill.googleapis.com
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 7e1e79ea-bcff-45de-845a-43cf18598136.tmp.35.dr, 7016b328-c69b-4427-bf66-a5317616c2ba.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr, 19fa8736-0cad-4232-b7d2-b453200b1e8b.tmp.35.dr String found in binary or memory: https://dns.google
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://fonts.googleapis.com
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://fonts.gstatic.com
Source: craw_window.js.34.dr, craw_background.js.34.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: AcroRd32.exe, 00000001.00000000.398289180.000000000A290000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ims-na1.adobelogin.com
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json1.34.dr, craw_window.js.34.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://play.google.com
Source: 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr String found in binary or memory: https://r3---sn-1gi7znek.gvt1.com
Source: 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json1.34.dr, craw_window.js.34.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.34.dr, craw_background.js.34.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://www.google.com
Source: manifest.json1.34.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.34.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.34.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.34.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.34.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.34.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, craw_window.js.34.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr, craw_background.js.34.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.34.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json1.34.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.34.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json1.34.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.34.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: dbc05ae3-04c6-437c-9d41-b2249c7cf2c0.tmp.35.dr, 489464f3-d7d6-4730-89cc-46a1e014e96b.tmp.35.dr, 9201d6f7-b73e-4a17-9370-924f601aeb69.tmp.35.dr String found in binary or memory: https://www.gstatic.com
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: bpkbsaya.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /css/cPanel.SharePoint_documentOnline/login.html HTTP/1.1Host: arthurperush.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://v2.bpkbsaya.com/wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1508464910/unprotected/cpanel/style_v2_optimized.css HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1458739301/unprotected/cpanel/images/webmail-logo.svg HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-username.png HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1508464910/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-password.png HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1508464910/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.woff HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8+PC9jbGlwUGF0aD48L2RlZnM+PHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5LjE5OCAzLjI5OCAxNC40IDMuMjk4aDE5LjJjMy42MDIgMCA2LjU0NyAxLjQ1MyA4Ljg1MiA0LjM1MiAyLjI5NyAyLjkwMiAyLjk0NSA2LjE0OCAxLjk1IDkuNzVsLTEyIDQ0LjM5OGgtMjFjLTE0LjQwMyAwLTI3LjY1My0zLjE0OC0zOS43NS05LjQ1LTEyLjEwMi02LjMtMjIuMTUzLTE0LjY0OC0zMC4xNTMtMjUuMDUtOC0xMC4zOTUtMTMuNDU0LTIyLjI0Ni0xNi4zNS0zNS41NDctMi45LTEzLjMtMi41NS0yNi45NSAxLjA1Mi00MC45NTNsMS4yLTQuNWMyLjU5Ny05LjYwMiA2LjY0OC0xOC40NSAxMi4xNDgtMjYuNTUgNS41LTguMDk4IDEyLTE1IDE5LjUtMjAuNyA3LjUtNS43IDE1Ljg1LTEwLjE0OCAyNS4wNS0xMy4zNTIgOS4yLTMuMTk1IDE4Ljc5Ny00Ljc5NiAyOC44LTQuNzk2IiBmaWxsPSIjZmY2YzJjIi8+PGcgY2xpcC1wYXRoPSJ1cmwoI2EpIj48cGF0aCBkPSJNMTIzLjg5IDI0MEwxODIuOTkgMTguNjAyYzEuNTk4LTUuNTk4IDQuNTk4LTEwLjA5OCA5LTEzLjVDMTk2LjM4OCAxLjcgMjAxLjQ4NCAwIDIwNy4yODggMGg2Mi43YzE0LjQwMyAwIDI3LjY1IDMuMTQ4IDM5Ljc1IDkuNDUgMTIuMTAyIDYuMyAyMi4xNTMgMTQuNjU1IDMwLjE1MyAyNS4wNSA3Ljk5NyAxMC40MDIgMTMuNSAyMi4yNTQgMTYuNSAzNS41NSAzIDEzLjMwNSAyLjU5NCAyNi45NTQtMS4yMDIgNDAuOTVsLTEuMiA0LjVjLTIuNTk3IDkuNjAyLTYuNTk3IDE4LjQ1LTEyIDI2LjU1LTUuMzk4IDguMDk4LTExLjg0NyAxNS4wNTItMTkuMzQ3IDIwLjg0OC03LjUgNS44MDUtMTUuODU1IDEwLjMwNS0yNS4wNSAxMy41LTkuMiAzLjIwNC0xOC44MDUgNC44MDUtMjguODA1IDQuODA1aC01NC4yOTdsMTAuOC00MC41YzEuNi01LjQwMiA0LjYtOS44IDktMTMuMjAzIDQuMzk2LTMuMzk4IDkuNDk3LTUuMTAyIDE1LjMwMi01LjEwMmgxNy4zOThjNy4yIDAgMTMuNjUzLTIuMiAxOS4zNTItNi41OTcgNS42OTUtNC4zOTggOS40NDUtMTAuMDk3IDExLjI1LTE3LjEgMS4zOTQtNC45OTcgMS41NDctOS45LjQ0NS0xNC43LTEuMS00LjgtMy4wNS05LjA0Ny01Ljg0OC0xMi43NS0yLjgtMy42OTUtNi40MDItNi42OTUtMTAuNzk2LTktNC40MDYtMi4yOTctOS4yMDYtMy40NS0xNC40MDItMy40NUgyMzMuMzlsLTQzLjggMTYyLjkwM2MtMS42MDYgNS40LTQuNjA2IDkuNzk3LTkgMTMuMTk1LTQuNDAzIDMuNDA3LTkuNDA2IDUuMTAyLTE1IDUuMTAyaC00MS43IiBmaWxsPSIjZmY2YzJjIi8+PC9nPjwvc3ZnPgo= HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.woff HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.woff HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.ttf HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.ttf HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.ttf HTTP/1.1Host: webmail.unitedyacht.comConnection: keep-aliveOrigin: https://arthurperush.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /VCmmJUv.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /VCmmJUv.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: i.imgur.com
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-username.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: webmail.unitedyacht.com
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1458739301/unprotected/cpanel/images/webmail-logo.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: webmail.unitedyacht.com
Source: global traffic HTTP traffic detected: GET /data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8+PC9jbGlwUGF0aD48L2RlZnM+PHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5LjE5OCAzLjI5OCAxNC40IDMuMjk4aDE5LjJjMy42MDIgMCA2LjU0NyAxLjQ1MyA4Ljg1MiA0LjM1MiAyLjI5NyAyLjkwMiAyLjk0NSA2LjE0OCAxLjk1IDkuNzVsLTEyIDQ0LjM5OGgtMjFjLTE0LjQwMyAwLTI3LjY1My0zLjE0OC0zOS43NS05LjQ1LTEyLjEwMi02LjMtMjIuMTUzLTE0LjY0OC0zMC4xNTMtMjUuMDUtOC0xMC4zOTUtMTMuNDU0LTIyLjI0Ni0xNi4zNS0zNS41NDctMi45LTEzLjMtMi41NS0yNi45NSAxLjA1Mi00MC45NTNsMS4yLTQuNWMyLjU5Ny05LjYwMiA2LjY0OC0xOC40NSAxMi4xNDgtMjYuNTUgNS41LTguMDk4IDEyLTE1IDE5LjUtMjAuNyA3LjUtNS43IDE1Ljg1LTEwLjE0OCAyNS4wNS0xMy4zNTIgOS4yLTMuMTk1IDE4Ljc5Ny00Ljc5NiAyOC44LTQuNzk2IiBmaWxsPSIjZmY2YzJjIi8+PGcgY2xpcC1wYXRoPSJ1cmwoI2EpIj48cGF0aCBkPSJNMTIzLjg5IDI0MEwxODIuOTkgMTguNjAyYzEuNTk4LTUuNTk4IDQuNTk4LTEwLjA5OCA5LTEzLjVDMTk2LjM4OCAxLjcgMjAxLjQ4NCAwIDIwNy4yODggMGg2Mi43YzE0LjQwMyAwIDI3LjY1IDMuMTQ4IDM5Ljc1IDkuNDUgMTIuMTAyIDYuMyAyMi4xNTMgMTQuNjU1IDMwLjE1MyAyNS4wNSA3Ljk5NyAxMC40MDIgMTMuNSAyMi4yNTQgMTYuNSAzNS41NSAzIDEzLjMwNSAyLjU5NCAyNi45NTQtMS4yMDIgNDAuOTVsLTEuMiA0LjVjLTIuNTk3IDkuNjAyLTYuNTk3IDE4LjQ1LTEyIDI2LjU1LTUuMzk4IDguMDk4LTExLjg0NyAxNS4wNTItMTkuMzQ3IDIwLjg0OC03LjUgNS44MDUtMTUuODU1IDEwLjMwNS0yNS4wNSAxMy41LTkuMiAzLjIwNC0xOC44MDUgNC44MDUtMjguODA1IDQuODA1aC01NC4yOTdsMTAuOC00MC41YzEuNi01LjQwMiA0LjYtOS44IDktMTMuMjAzIDQuMzk2LTMuMzk4IDkuNDk3LTUuMTAyIDE1LjMwMi01LjEwMmgxNy4zOThjNy4yIDAgMTMuNjUzLTIuMiAxOS4zNTItNi41OTcgNS42OTUtNC4zOTggOS40NDUtMTAuMDk3IDExLjI1LTE3LjEgMS4zOTQtNC45OTcgMS41NDctOS45LjQ0NS0xNC43LTEuMS00LjgtMy4wNS05LjA0Ny01Ljg0OC0xMi43NS0yLjgtMy42OTUtNi40MDItNi42OTUtMTAuNzk2LTktNC40MDYtMi4yOTctOS4yMDYtMy40NS0xNC40MDItMy40NUgyMzMuMzlsLTQzLjggMTYyLjkwM2MtMS42MDYgNS40LTQuNjA2IDkuNzk3LTkgMTMuMTk1LTQuNDAzIDMuNDA3LTkuNDA2IDUuMTAyLTE1IDUuMTAyaC00MS43IiBmaWxsPSIjZmY2YzJjIi8+PC9nPjwvc3ZnPgo= HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: webmail.unitedyacht.com
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-password.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: webmail.unitedyacht.com
Source: global traffic HTTP traffic detected: GET /data%3aimage/svg%2bxml%3bbase64%2cPHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzNTlwdCIgaGVpZ2h0PSIzMjAiIHZpZXdCb3g9IjAgMCAzNTkgMjQwIj48ZGVmcz48Y2xpcFBhdGggaWQ9ImEiPjxwYXRoIGQ9Ik0xMjMgMGgyMzUuMzd2MjQwSDEyM3ptMCAwIi8%2bPC9jbGlwUGF0aD48L2RlZnM%2bPHBhdGggZD0iTTg5LjY5IDU5LjEwMmg2Ny44MDJsLTEwLjUgNDAuMmMtMS42MDUgNS42LTQuNjA1IDEwLjEtOSAxMy41LTQuNDAyIDMuNC05LjUwNCA1LjA5Ni0xNS4zIDUuMDk2aC0zMS41Yy03LjIgMC0xMy41NSAyLjEwMi0xOS4wNSA2LjMtNS41MDUgNC4yLTkuMzUzIDkuOTA0LTExLjU1MiAxNy4xMDMtMS40IDUuNDAzLTEuNTUgMTAuNS0uNDUgMTUuMzAyIDEuMDk4IDQuNzk2IDMuMDQ3IDkuMDUgNS44NTIgMTIuNzUgMi43OTcgMy43MDMgNi40IDYuNjUyIDEwLjc5NyA4Ljg1IDQuMzk3IDIuMiA5LjE5OCAzLjI5OCAxNC40IDMuMjk4aDE5LjJjMy42MDIgMCA2LjU0NyAxLjQ1MyA4Ljg1MiA0LjM1MiAyLjI5NyAyLjkwMiAyLjk0NSA2LjE0OCAxLjk1IDkuNzVsLTEyIDQ0LjM5OGgtMjFjLTE0LjQwMyAwLTI3LjY1My0zLjE0OC0zOS43NS05LjQ1LTEyLjEwMi02LjMtMjIuMTUzLTE0LjY0OC0zMC4xNTMtMjUuMDUtOC0xMC4zOTUtMTMuNDU0LTIyLjI0Ni0xNi4zNS0zNS41NDctMi45LTEzLjMtMi41NS0yNi45NSAxLjA1Mi00MC45NTNsMS4yLTQuNWMyLjU5Ny05LjYwMiA2LjY0OC0xOC40NSAxMi4xNDgtMjYuNTUgNS41LTguMDk4IDEyLTE1IDE5LjUtMjAuNyA3LjUtNS43IDE1Ljg1LTEwLjE0OCAyNS4wNS0xMy4zNTIgOS4yLTMuMTk1IDE4Ljc5Ny00Ljc5NiAyOC44LTQuNzk2IiBmaWxsPSIjZmY2YzJjIi8%2bPGcgY2xpcC1wYXRoPSJ1cmwoI2EpIj48cGF0aCBkPSJNMTIzLjg5IDI0MEwxODIuOTkgMTguNjAyYzEuNTk4LTUuNTk4IDQuNTk4LTEwLjA5OCA5LTEzLjVDMTk2LjM4OCAxLjcgMjAxLjQ4NCAwIDIwNy4yODggMGg2Mi43YzE0LjQwMyAwIDI3LjY1IDMuMTQ4IDM5Ljc1IDkuNDUgMTIuMTAyIDYuMyAyMi4xNTMgMTQuNjU1IDMwLjE1MyAyNS4wNSA3Ljk5NyAxMC40MDIgMTMuNSAyMi4yNTQgMTYuNSAzNS41NSAzIDEzLjMwNSAyLjU5NCAyNi45NTQtMS4yMDIgNDAuOTVsLTEuMiA0LjVjLTIuNTk3IDkuNjAyLTYuNTk3IDE4LjQ1LTEyIDI2LjU1LTUuMzk4IDguMDk4LTExLjg0NyAxNS4wNTItMTkuMzQ3IDIwLjg0OC03LjUgNS44MDUtMTUuODU1IDEwLjMwNS0yNS4wNSAxMy41LTkuMiAzLjIwNC0xOC44MDUgNC44MDUtMjguODA1IDQuODA1aC01NC4yOTdsMTAuOC00MC41YzEuNi01LjQwMiA0LjYtOS44IDktMTMuMjAzIDQuMzk2LTMuMzk4IDkuNDk3LTUuMTAyIDE1LjMwMi01LjEwMmgxNy4zOThjNy4yIDAgMTMuNjUzLTIuMiAxOS4zNTItNi41OTcgNS42OTUtNC4zOTggOS40NDUtMTAuMDk3IDExLjI1LTE3LjEgMS4zOTQtNC45OTcgMS41NDctOS45LjQ0NS0xNC43LTEuMS00LjgtMy4wNS05LjA0Ny01Ljg0OC0xMi43NS0yLjgtMy42OTUtNi40MDItNi42OTUtMTAuNzk2LTktNC40MDYtMi4yOTctOS4yMDYtMy40NS0xNC40MDItMy40NUgyMzMuMzlsLTQzLjggMTYyLjkwM2MtMS42MDYgNS40LTQuNjA2IDkuNzk3LTkgMTMuMTk1LTQuNDAzIDMuNDA3LTkuNDA2IDUuMTAyLTE1IDUuMTAyaC00MS43IiBmaWxsPSIjZmY2YzJjIi8%2bPC9nPjwvc3ZnPgo%3d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: webmail.unitedyacht.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?locale=en HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://webmail.serendahsteel.com/?locale=enAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.css HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://webmail.serendahsteel.com/?locale=enAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/webmail-logo.svg HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/?locale=enAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.woff HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveOrigin: https://webmail.serendahsteel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled; timezone=America/Los_Angeles
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.woff HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveOrigin: https://webmail.serendahsteel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled; timezone=America/Los_Angeles
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.woff HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveOrigin: https://webmail.serendahsteel.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/open_sans.min.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled; timezone=America/Los_Angeles
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-info.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-error.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/icon-username.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/icon-password.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-success.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /cPanel_magic_revision_1463518546/unprotected/cpanel/images/warning.png HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled
Source: global traffic HTTP traffic detected: GET /?locale=ar HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: webmailsession=%3arZynwdYmgajDMd6a%2c10841453a97a6117ead87650119bd7a3; session_locale=en; roundcube_cookies=enabled; timezone=America/Los_Angeles
Source: global traffic HTTP traffic detected: GET /?locale=bg HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aL_5UxxdUFcs79CER%2cca816adc682c985b33878010947b95b9; session_locale=ar
Source: global traffic HTTP traffic detected: GET /?locale=cs HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aXM1wd6prSVQkUfND%2ca2ab7509298ff536dc5d34c974c32524; session_locale=bg
Source: global traffic HTTP traffic detected: GET /?locale=da HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3a3Be1T1zsuDYpXraK%2c161f27175e3ad11afbd2948b84e08c4f; session_locale=cs
Source: global traffic HTTP traffic detected: GET /?locale=de HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3arF9R3lM4ZLnbf_qE%2ce1f11a22c225092696e3c1e5bd9a25e4; session_locale=da
Source: global traffic HTTP traffic detected: GET /?locale=el HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aZEm_sI1rJvNEi7by%2c4ab193791d9e20fba6816ee2acc3df28; session_locale=de
Source: global traffic HTTP traffic detected: GET /?locale=es HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3atv2V2gFhVsVxQnAL%2ca29dc2d32ccadd90323922aa2d946414; session_locale=el
Source: global traffic HTTP traffic detected: GET /?locale=ar HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3arwNXY9Q5iIf01mfQ%2cb3126fa745e92fde4aa60bc70961e113; session_locale=es
Source: global traffic HTTP traffic detected: GET /?locale=bg HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3a6uJKuDYKo5yL312X%2c723f4495b1a66df427ab5eca1e9f6fce; session_locale=ar
Source: global traffic HTTP traffic detected: GET /?locale=cs HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aV8tkTA7rl56zmE8l%2c7b0d62de45651f81f78e4d680c484c2d; session_locale=bg
Source: global traffic HTTP traffic detected: GET /?locale=da HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3alcZ7fzgMFJwE7Gs3%2ce9b32721a3479df213bc57116d918206; session_locale=cs
Source: global traffic HTTP traffic detected: GET /?locale=de HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aNtsC7AoBd2Q4g_iG%2cbb3e3b737d48efa9ace5acfe9a7f69ad; session_locale=da
Source: global traffic HTTP traffic detected: GET /?locale=el HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aWKtuDfveqf4YKODN%2cb89ee7d54aceca40857f12bddc01d1b9; session_locale=de
Source: global traffic HTTP traffic detected: GET /?locale=es HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3a2Lgd0TyXpGSQwkdE%2cd0b41c879a61f7cb82dc98fec426dd4b; session_locale=el
Source: global traffic HTTP traffic detected: GET /?locale=es_419 HTTP/1.1Host: webmail.serendahsteel.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: roundcube_cookies=enabled; timezone=America/Los_Angeles; webmailsession=%3aKk4R4ZDdfAW0yFSx%2c920b5fb218bef83b478ad693450ddb27; session_locale=es
Source: global traffic HTTP traffic detected: GET /wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.php HTTP/1.1Host: v2.bpkbsaya.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknown HTTPS traffic detected: 151.101.112.193:443 -> 192.168.2.3:49846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.9.144.117:443 -> 192.168.2.3:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 72.9.144.117:443 -> 192.168.2.3:49848 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00049029 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 39_2_00049029
Detected potential crypto function
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0005C8DF 39_2_0005C8DF
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000651B0 39_2_000651B0
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0006423B 39_2_0006423B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00064A67 39_2_00064A67
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0006328B 39_2_0006328B
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000502A1 39_2_000502A1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00057AF1 39_2_00057AF1
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0005F428 39_2_0005F428
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000644E5 39_2_000644E5
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00057E39 39_2_00057E39
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000656B9 39_2_000656B9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00063EC9 39_2_00063EC9
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0005EFA0 39_2_0005EFA0
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000647AC 39_2_000647AC
Found potential string decryption / allocating functions
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: String function: 0004FE60 appears 43 times
Contains functionality to communicate with device drivers
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00049D31: CreateFileW,DeviceIoControl,CloseHandle, 39_2_00049D31
PE file contains strange resources
Source: ChromeRecovery.exe.38.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ChromeRecovery.exe.38.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\View Shared File.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\View Shared File.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=4522651327695846108 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4522651327695846108 --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10689791772710628581 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1168505979000462944 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1168505979000462944 --renderer-client-id=4 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12017203034287935800 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12017203034287935800 --renderer-client-id=5 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1325300201368898226 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1325300201368898226 --renderer-client-id=6 --mojo-platform-channel-handle=2804 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "http://v2.bpkbsaya.com/wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.php
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,1458980921024501746,2057635213361371639,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={3300d716-561c-4453-9d4f-82432db65734} --system
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\View Shared File.pdf Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "http://v2.bpkbsaya.com/wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.php Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=4522651327695846108 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4522651327695846108 --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10689791772710628581 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1168505979000462944 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1168505979000462944 --renderer-client-id=4 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12017203034287935800 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12017203034287935800 --renderer-client-id=5 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1692,9505094711010095436,2813685380730867450,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1325300201368898226 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1325300201368898226 --renderer-client-id=6 --mojo-platform-channel-handle=2804 --allow-no-sandbox-job /prefetch:1 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,1458980921024501746,2057635213361371639,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1908 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Process created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=85.0.4183.121 --sessionid={3300d716-561c-4453-9d4f-82432db65734} --system Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rkvyosn_kwacik_41g.tmp Jump to behavior
Source: classification engine Classification label: mal56.phis.winPDF@65/179@11/10
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Mutant created: \BaseNamedObjects\Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5200:120:WilError_01
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00041209 LoadResource,LockResource,SizeofResource, 39_2_00041209
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe File opened: C:\Windows\SysWOW64\Msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecoveryCRX.crx Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\manifest.json Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\_metadata\ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe Directory created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\_metadata\verified_contents.json Jump to behavior
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb` source: ChromeRecovery.exe, 00000027.00000002.656555799.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe, 00000027.00000000.655835057.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe.38.dr
Source: Binary string: GoogleUpdateB231574670_unsigned.pdb source: ChromeRecovery.exe, 00000027.00000002.656555799.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe, 00000027.00000000.655835057.0000000000067000.00000002.00000001.01000000.00000009.sdmp, ChromeRecovery.exe.38.dr
Source: View Shared File.pdf Initial sample: PDF keyword /JS count = 0
Source: View Shared File.pdf Initial sample: PDF keyword /JavaScript count = 0
Source: View Shared File.pdf Initial sample: PDF keyword /EmbeddedFile count = 0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000639A3 push ecx; ret 39_2_000639B6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004FEA6 push ecx; ret 39_2_0004FEB9
Contains functionality to dynamically determine API calls
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 39_2_0004E00C
Drops PE files
Source: C:\Program Files\Google\Chrome\Application\85.0.4183.121\elevation_service.exe File created: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Jump to dropped file
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00043298 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW, 39_2_00043298
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000502A1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 39_2_000502A1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain checking for process token information
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0006525D VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 39_2_0006525D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000598C3 FindFirstFileExW, 39_2_000598C3
Source: AcroRd32.exe, 00000001.00000000.419453160.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.435987288.000000000AEA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0005323D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_0005323D
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0006525D VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 39_2_0006525D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000441A3 CreateFileW,GetFileAttributesExW,OutputDebugStringW,CloseHandle,GetLastError,WriteFile, 39_2_000441A3
Contains functionality to dynamically determine API calls
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 39_2_0004E00C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000413D8 GetProcessHeap, 39_2_000413D8
Contains functionality to read the PEB
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00059665 mov eax, dword ptr fs:[00000030h] 39_2_00059665
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00053E6C mov ecx, dword ptr fs:[00000030h] 39_2_00053E6C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E00C CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection, 39_2_0004E00C
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E2C3 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,DeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,FindCloseChangeNotification,DeleteCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection, 39_2_0004E2C3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004FE00 SetUnhandledExceptionFilter, 39_2_0004FE00
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004F886 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 39_2_0004F886
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0005323D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_0005323D
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004FC6A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_0004FC6A
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E4E6 EnterCriticalSection,SetUnhandledExceptionFilter, 39_2_0004E4E6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004E553 SetUnhandledExceptionFilter,LeaveCriticalSection, 39_2_0004E553
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_000459D6 GetSecurityDescriptorDacl,SetSecurityDescriptorDacl, 39_2_000459D6
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00048FB3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 39_2_00048FB3
Source: AcroRd32.exe, 00000001.00000000.397549375.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.429307878.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.412730247.0000000005440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000000.397549375.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.429307878.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.412730247.0000000005440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000000.397549375.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.429307878.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.412730247.0000000005440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: AcroRd32.exe, 00000001.00000000.397549375.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.429307878.0000000005440000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.412730247.0000000005440000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_0004FAC3 cpuid 39_2_0004FAC3
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00043047 GetLocalTime,GetCurrentThreadId,GetCurrentProcessId, 39_2_00043047
Source: C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3876_980132676\ChromeRecovery.exe Code function: 39_2_00048E0B GetVersionExW,GetProcAddress,FreeLibrary, 39_2_00048E0B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634965 Sample: View Shared File.pdf Startdate: 27/05/2022 Architecture: WINDOWS Score: 56 45 webmail.unitedyacht.com 2->45 47 webmail.serendahsteel.com 2->47 49 2 other IPs or domains 2->49 63 Antivirus detection for URL or domain 2->63 65 Yara detected HtmlPhish10 2->65 9 AcroRd32.exe 15 45 2->9         started        11 elevation_service.exe 1 7 2->11         started        signatures3 process4 file5 14 chrome.exe 15 261 9->14         started        18 RdrCEF.exe 71 9->18         started        20 AcroRd32.exe 10 7 9->20         started        37 C:\Program Files\...\ChromeRecovery.exe, PE32 11->37 dropped 22 ChromeRecovery.exe 11->22         started        process6 dnsIp7 57 239.255.255.250 unknown Reserved 14->57 39 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 14->39 dropped 41 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 14->41 dropped 43 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 14->43 dropped 24 chrome.exe 25 14->24         started        59 192.168.2.1 unknown unknown 18->59 27 RdrCEF.exe 18->27         started        29 RdrCEF.exe 18->29         started        31 RdrCEF.exe 18->31         started        33 2 other processes 18->33 61 bpkbsaya.com 20->61 file8 process9 dnsIp10 51 arthurperush.com 138.59.135.12, 443, 49818, 49819 RACKLODGESACR Costa Rica 24->51 53 v2.bpkbsaya.com 203.161.184.43, 49810, 49811, 49813 JOGJACAMP-AS-IDPTJCIndonesiaID Indonesia 24->53 55 8 other IPs or domains 24->55 35 conhost.exe 27->35         started        process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.161.184.43
 bpkbsaya.com Indonesia
46050 JOGJACAMP-AS-IDPTJCIndonesiaID false
216.58.215.238
 clients.l.google.com United States
15169 GOOGLEUS false
72.9.144.117
 webmail.unitedyacht.com United States
393398 ASN-DISUS false
103.6.196.136
 webmail.serendahsteel.com Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY false
138.59.135.12
 arthurperush.com Costa Rica
28110 RACKLODGESACR false
239.255.255.250
 unknown Reserved
unknown unknown false
151.101.112.193
 ipv4.imgur.map.fastly.net United States
54113 FASTLYUS false
142.250.203.109
 accounts.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
webmail.serendahsteel.com 103.6.196.136 true
bpkbsaya.com 203.161.184.43 true
accounts.google.com 142.250.203.109 true
arthurperush.com 138.59.135.12 true
clients.l.google.com 216.58.215.238 true
v2.bpkbsaya.com 203.161.184.43 true
webmail.unitedyacht.com 72.9.144.117 true
ipv4.imgur.map.fastly.net 151.101.112.193 true
clients2.google.com unknown unknown
i.imgur.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-success.png false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/warning.png false
  • Avira URL Cloud: safe
 unknown
https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.woff false
  • Avira URL Cloud: safe
 unknown
https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.woff false
  • Avira URL Cloud: safe
 unknown
https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.ttf false
  • Avira URL Cloud: safe
 unknown
https://webmail.unitedyacht.com/cPanel_magic_revision_1508464910/unprotected/cpanel/style_v2_optimized.css false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Regular-webfont.woff false
  • Avira URL Cloud: safe
 unknown
https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html true
  • SlashNext: Credential Stealing type: Phishing & Social Engineering
 unknown
https://arthurperush.com/css/cPanel.SharePoint_documentOnline/login.html true
  • SlashNext: Credential Stealing type: Phishing & Social Engineering
 unknown
https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.woff false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-info.png false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/open_sans.min.css false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.woff false
  • Avira URL Cloud: safe
 unknown
https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/notice-error.png false
  • Avira URL Cloud: safe
 unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
      		high
      https://i.imgur.com/VCmmJUv.png false
        		high
        https://webmail.unitedyacht.com/cPanel_magic_revision_1386192030/unprotected/cpanel/fonts/open_sans/open_sans.min.css false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.unitedyacht.com/cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-password.png false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.ttf false
        • Avira URL Cloud: safe
        		 unknown
        http://v2.bpkbsaya.com/wp-includes/css/cPanel.SharePoint_documentOnline/redirecting.php false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/icon-password.png false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.unitedyacht.com/cPanel_magic_revision_1547665285/unprotected/cpanel/images/icon-username.png false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.unitedyacht.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Bold-webfont.ttf false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/icon-username.png false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.serendahsteel.com/cPanel_magic_revision_1463518546/unprotected/cpanel/images/webmail-logo.svg false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.unitedyacht.com/cPanel_magic_revision_1458739301/unprotected/cpanel/images/webmail-logo.svg false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.serendahsteel.com/cPanel_magic_revision_1616517441/unprotected/cpanel/fonts/open_sans/OpenSans-Semibold-webfont.woff false
        • Avira URL Cloud: safe
        		 unknown
        https://webmail.serendahsteel.com/cPanel_magic_revision_1630269605/unprotected/cpanel/style_v2_optimized.css false
        • Avira URL Cloud: safe
        		 unknown