Windows Analysis Report
Cancellation_418406_Dec23.pdf

Overview

General Information

Sample Name:	Cancellation_418406_Dec23.pdf
Analysis ID:	778232
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
Infos:

Detection

Qbot Downloader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found potential malicious PDF (bad image similarity)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Qbot Downloader

Clickable URLs found in PDF pointing to potentially malicious files

Creates a DirectInput object (often for capturing keystrokes)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Virustotal: Detection: 15%

Perma Link

Source: Cancellation_418406_Dec23.pdf

Malware Configuration Extractor: Qbot Downloader {"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Spreading

Yara detected Qbot Downloader

Source: Yara match

File source: Cancellation_418406_Dec23.pdf, type: SAMPLE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Jan 2023 08:03:45 GMTServer: ApacheX-Powered-By: PHP/8.1.13Connection: keep-alive, Keep-AliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="Cancellation_367461_Dec23.zip"Upgrade: h2,h2cConnection: UpgradeContent-Length: 801520Vary: Accept-EncodingKeep-Alive: timeout=5Content-Type: application/zipData Raw: 50 4b 03 04 14 00 01 00 08 00 02 9c 97 55 e0 d4 f8 ae 42 3a 0c 00 00 d0 6a 06 14 00 00 00 43 61 6e 63 65 6c 6c 61 74 69 6f 6e 23 4a 35 38 2e 69 73 6f 79 61 b4 0c 99 42 96 64 6f 83 91 a6 87 9a e5 3b a7 9b fa 5c ce db 83 0b 04 d9 b6 6c 6b c0 29 f7 77 06 99 5d 89 d8 25 f7 83 d0 e7 99 b5 61 ec 80 11 0d 3f ab ff b3 1e 8a da 89 07 00 17 6a ec e6 29 66 86 ed bf 05 74 c7 c4 7c 06 90 e2 b0 2d 93 97 cf c9 70 ab d3 95 5b b2 ed 34 37 cb cb 9b c8 3a fb be 6c 97 18 a2 80 38 1b 2f 9a 5a 49 9d 4c 08 51 38 eb d6 d9 76 b8 dd 45 e0 a7 da c5 f3 68 1d 93 e1 36 73 17 47 c3 84 d1 50 b0 20 e0 0f 2f 1c ba ad 94 8c d5 01 a0 44 c8 57 38 0e b7 40 e6 67 9d e3 e4 b7 ef 2d a6 da d8 4d ff be 7d a9 a8 68 55 a3 aa 40 fb 32 c8 a1 2b 79 c1 e4 f5 44 28 a9 e8 6d 90 d7 2c f8 a6 a7 d3 f7 4d cd 5c 12 87 6b 1c a6 df da 6c f4 db 85 6c 02 12 db 8a f5 b8 f3 5a 1e 09 34 9b f1 09 d4 31 61 ec dd 98 ce d0 fe 90 73 1d 8f ff 0f 0a 49 41 25 be 0a 11 13 3c 09 76 9f c6 c9 0c b8 42 55 a2 ef 6e 61 a6 e8 c0 f4 02 5a 7e fd c2 2f 48 3e 80 50 95 ce 2e f5 5a 93 67 db cd b2 29 e5 bb 9d 0e 62 e2 2c 31 ec 3a 10 92 44 3f 90 c3 4d 8d 78 1d 46 c1 7e f6 97 5a 08 bd 77 25 72 27 e9 80 65 ae d6 7a 71 36 ea b4 32 04 2e c4 39 00 76 fb 72 d4 40 ac 61 a6 37 85 ca f3 1f 0b a9 1c 0b 68 b6 46 50 87 c1 02 a6 5b 2c 19 53 aa 37 4e c9 91 6a 4f fa 5a 49 aa 28 55 28 fd 13 fb 29 bf 51 74 1d 23 18 cd 17 74 20 81 cf a2 6e 45 2e e2 71 c9 01 18 59 6f e6 8c 3c 09 1d 71 f9 92 87 c1 71 d9 40 fd e3 16 28 8a 86 ff 37 d4 e6 37 21 18 c0 7a 7f 44 37 e6 8d 17 12 6b 93 fb a5 8d 64 de 6d a5 1b fd 57 d9 4e 7d e0 56 b6 c1 76 c0 30 44 73 e9 a2 7f 4c 05 21 0a 60 55 17 f4 b7 da 7d ef 80 22 eb f8 df f2 e7 c0 f3 e9 96 5c 9a 67 ea 0a 27 b1 9a 56 9e 23 db 96 6d 10 a6 9b 6b e5 a2 e2 59 36 2b 26 9e 1b 69 9c d3 38 14 c6 36 f0 da 48 f3 79 40 c9 e2 7f dd 9d bf 3a 3a 05 47 80 07 34 e3 74 1e e4 0f 97 7b ae 19 c5 d9 68 9b df 3b 64 53 bf 69 af 0c bf 9c 9c 6a 36 18 67 ab 81 08 7b 42 6c 0d cd e1 62 60 11 a4 a7 21 23 a0 4f 6c 40 f5 7b 11 1d f0 76 5f 7a 8a 5b 2e 65 7f 21 1e 86 b6 19 54 57 b5 41 94 5b 90 8f 16 50 60 ae 7f a4 92 dc 2b a4 67 ad 6b 9b f2 05 9a 3a 94 ae 2a 89 78 68 9f 8f 8b 31 27 07 e4 b4 13 7c 80 cb e7 c5 e5 bc 7e 3a d7 60 11 c2 bb 12 ee 5f ae 4e 7c c3 36 be 22 ef 58 5e 4e 59 bc 23 d8 61 55 c7 14 7b 70 a5 9a 09 2f 7a 5a 22 0a 39 e9 6f 02 5c 47 49 f9 11 04 ee 58 0a 0c 64 04 62 b0 2a 4b fe 40 3b e6 05 50 d4 d2 46 2f 6a 7b c3 7d 4e 3f c6 78 fd 9d e9 5c 21 0e bb 7c 04 d4 81 ae 3e 1b 54 21 f5 63 74 70 ea 32 40 2d cb f0 cc 61 55 09 d1 aa 35 53 1a a1 6e 94 69 e8 c9 0f e8 15 17 07 f8 16 aa 7d 01 ad bb 78 51 d2 f8 0d 0d 25 d2

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: Cancellation_418406_Dec23.pdf

String found in binary or memory: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o

Source: unknown

DNS traffic detected: queries for: agapeministriesinternational.church

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/Cancellation_367461_Dec23.zip HTTP/1.1Host: agapeministriesinternational.churchConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Creates a DirectInput object (often for capturing keystrokes)

Source: unarchiver.exe, 0000000F.00000002.606287284.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Found potential malicious PDF (bad image similarity)

Source: Cancellation_418406_Dec23.pdf

Static PDF information: Image stream: 6

Clickable URLs found in PDF pointing to potentially malicious files

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\Fonts\ariblk.ttf

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx

Jump to behavior

Source: classification engine

Classification label: mal76.spre.winPDF@38/57@5/7

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JS count = 0
Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Cancellation_418406_Dec23.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep count: 119 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep time: -59500s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 15_2_00F0B1D6 GetSystemInfo,

15_2_00F0B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
50.62.149.105	agapeministriesinternational.church	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
142.250.184.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.209.13	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
agapeministriesinternational.church	50.62.149.105	true
accounts.google.com	142.251.209.13	true
www.google.com	142.250.184.36	true
clients.l.google.com	142.250.184.78	true
clients2.google.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Virustotal: Detection: 15%

Perma Link

Source: Cancellation_418406_Dec23.pdf

Malware Configuration Extractor: Qbot Downloader {"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Spreading

Yara detected Qbot Downloader

Source: Yara match

File source: Cancellation_418406_Dec23.pdf, type: SAMPLE

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: global traffic

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: Cancellation_418406_Dec23.pdf

String found in binary or memory: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)

Source: unknown

DNS traffic detected: queries for: agapeministriesinternational.church

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/Cancellation_367461_Dec23.zip HTTP/1.1Host: agapeministriesinternational.churchConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Creates a DirectInput object (often for capturing keystrokes)

Source: unarchiver.exe, 0000000F.00000002.606287284.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Found potential malicious PDF (bad image similarity)

Source: Cancellation_418406_Dec23.pdf

Static PDF information: Image stream: 6

Clickable URLs found in PDF pointing to potentially malicious files

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\Fonts\ariblk.ttf

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx

Jump to behavior

Source: classification engine

Classification label: mal76.spre.winPDF@38/57@5/7

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JS count = 0
Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Cancellation_418406_Dec23.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep count: 119 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep time: -59500s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 15_2_00F0B1D6 GetSystemInfo,

15_2_00F0B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	778232
Product:	CloudBasic
Start time:	09:01:23
Start date:	05.01.2023
Sample:	Cancellation_418406_Dec23.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0	data	05A8ED13DB8ACF9593227A84C5C6FF47	6414B2E11A5C6EDA3AEDDF90585DC7AB6AA8817E	6AD07D48B525B5EBE2DE9B7C4A074C01C366CCDD01080F8F65C378B8089C4227
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0	data	7F55774458FA8EA992A4750965A14D93	1B5B39ACACE70F1BC54D1746E2C8CC05D59E2028	03A014EF976E41BDA70EBB3EE3775CDBF07AF033A808EE9DE7D3CDCEE58546B9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0	data	97CD0EFE5E2B8A3D74AEEE4842308710	8AA2676E49EE270AF8120524244A7BE5B58D3991	3FDACB1B6DB3BC8535408C9A2598E2C9C9E6F84901CD5060A56CF2E9B9197ABC
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0	data	9EA125E9CF4BD143066AA72AB2D1D403	434C1A2C729CA4D40154E9F98FAE727767E4263D	7A04211A73C7169FD4EB1FCC0D0B5B46198EAC7A4D233AC37E4F95394E1D3837
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0	data	A17F44A872680C207579A1A086788A99	9119588BADE75F7BBB909798C3048D4C78C49DED	1ADD7711FDD7361A04F6F0680525B5529853D3CA300BA69DF0555322800DC321
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0	data	FF6F0A6F4A92165C2750003E38D98901	C9C78B3F5200C167C28357E2BE0DDD05A4D080CB	73708B5FC326A0EF2172354612B07BB86E42C2515AD5F624344CC7BB9ED294C8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0	data	C8E82FEB22D90B3991337437F2948FC4	8691CD0E6A3068871B3233EC70C7BA714160B08B	7C752F349B50EBC49C0ABE460515311ADF5CA8291298F7EBFFB4BC8197A69910
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0	data	3825DDDE75117D171E71E5A458925227	888D0794E3A82F286534336C13E2C1BE72DAC204	5A710A6D29EC4856CDBDECF5DD80C0B4E6C50D9648F8F83670AEC94661FEA8EF
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0	data	49C5D81D91FB71BC30A6194FF1EC9511	CD1CF4B7CAF5310114F568DCBEFAE30B5E6BEDB9	013C484B65CF375E55A8D23396A38B83215541C89C688F95620783DFFC1A9824
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0	data	95844A96114E25247A2FF70296381B8F	9B7C3175BEA13C18EEBF7773A2978D94304F467B	6DC9AF2C8078322C1D3F029FB277C539B1EC9C81E9B14A7F9D5BAAAAA501395B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0	data	3B017F44D6937A232DAF337527007722	BF073D4A3478DEB49B19168951EB4AF5BAE00BCB	846C8930FE818F33EE410564FFEE3DCF8373729EC527BACB7178BEDE5FB9988D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0	data	8BE056AB92C0B0E86E8B813D483AEE4F	57DAB50CBD799FC1602E10CAF834A0E6B7B9DA81	2117ABF959441BA292E84E00F16C4EB5238A05694E58675FF05014FB198A55E6
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0	data	F84876297A72BEB1651728C1BFBC1656	C3A6235941079B657A7FA71E9F18BD0D781F76D0	0D817919DDD0781C329CA59BF7825F621614506EEF0BEA06D02A38809444055A
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0	data	2B30A71A95636FB7EB31ABBCD30914B1	EBCEB28F0DABD913F71C8E970B226DB750CE72A3	3ACA663CF9476B74AA3AB2974971668E9CD3D7C33D66D1D107FD167C0E3FE949
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0	data	EAC791EA906DFF9FFFE142A9C3128082	1E64D921644E4255D83F8628BCF5B854D92E1CDF	86A99F42FCA4331C519705EB534CDA3D56D404D6725BCD7425DB4AFB964E002B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0	data	557A0AA61BDFB25AD34327FE8435751A	85094D987F3F984A4EC70BCC250B0DCA39A0F2C8	37C4521EDF38CAF2848CEB5771D7601D8CAF1A2B6BC32B5095E17219D016439B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0	data	B4A4AAF19733C12B4B33E2D15D0FCE58	8B163C6853DE9E60B357821A6FCFDB39D61544B6	F0836551209222B402AF4FD01C08656F2E804400C03804F28148EF3C7614F234
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0	data	64E8C64C6A112DC79EA38A6DA4FD9576	391CDCF1689D666F2CEFEC41B9CF7548C8A41B22	9BDF5299BF039AEC674577CBDCC0CF2507FB7FAD9816BA7BBB943A4574CA6E7E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0	data	A86CDE160790DFE274404BFE174A765A	18E017F5E931422390B642FE1DC41DBCDD242959	9D58599A524D65AD58B5ECA39F5E95C1A0C2AC19BFBE48BD9BE04C78506F3768
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0	data	93B8F67BA6059DA3748FD998C5DBC788	3E623AD93172A25C525E4A78F0EEEC53813B6F83	D383312016DB941640B947688007DD211A9EF754C5BC51BD0E6F0A0B42FCB0CF
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0	data	CA823AA1C7CB0DFCEA3FE712B63A557D	12383F1280288995D7221C890ED488C9BAA1C861	9C9604A8846253EF0A3790580196374917E239BC17E42DECFC1A3A9356AEED43
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0	data	0926F994DE13EDA59A7E2CFC10281BE5	935830D69C61C55EDA95BF974779BCBADF853CED	DF223F196F3927202A76E14C1A1D8C1CFE13138118102E542A4313D748211DE0
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0	data	3D95B90EB0979E07AEE7E94065292E5B	39683F5FD739A548B0A08DD9754FD8610F730908	74724B37664F439C379CEF31A267E8146BE66C16892C8E2DD3BECF8297EC106B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0	data	1C1C09775D89160E3A7B6F61C8E20FF9	8019387BCB63D8091D68D2456C94281132FE4679	1524F3BE3F93029528B9C62B04F50D4B8FC1445D6F41916343CFEC6865021BE2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0	data	D5EAB93751AC1B7A61F8E96AC211EF3F	FB8C7EA8C0F710DB3676D39A69E9F31A99BB2E76	F6E3414FB2014966D04477625B51E19DEF36D3DA5A0B3DD8B49C85B1800325C8
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0	data	7A6974EF458ABA31509126F8638D6F99	4B009AE03A7892EDBEEE77710D429C6BD3B63154	BDD7527EDB021F834BFC94CA96B150B49D17B5B19B5C7C8B5CE1FFB95E4AA70B
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0	data	11399BA6433E5D2C6EAF25C0B93DB932	E081C102177D38FA90F9B475AC0EBCF0B66C7AC2	537B0A06834A3FA7E046914387CC53C3AE93EBB3B3D1BD2393D72ACF63CC82E5
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0	data	18D937FA69EE6EE16DE14487BE3D0F24	407556B89EFFBE80AB5D16BB78A31FFB2CBAC769	2A58B426FC93AFD55F466FC88043755A89597C11A04A8BCC6DC7D60DB81A963C
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0	data	B36CE60DABAE5C2C68ABCDF537B399A7	42511E2604CBA44236ADDDEA87BC8BE6A6FABA3F	2761E6588D371710329B839163392855342C66187D477C9DF92FA1E768EB60FB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0	data	6C25D187D5522309902319CB0F2E04D1	D9B972270373BA977C08081B584FE4C196A91246	1DF97D65306F71A7EA7C4668387B6C2DCEE3E26A39D2CAD26E399BEB72AF6686
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0	data	42EA06B4F1B3D20D423F50E4781590C8	13D2FBF2085C500E4DB01F1D42FFA12569556A59	25A3ED04D8F2358B9398C02966857B2CAECC4F9FAC7C48C3C7E6373304CE59E9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0	data	8C236DEE20477DDEAAB43674564AB50C	D225A033A89420C2E72776A2FA62AB55BF2CF840	EFB50A6265C9B2646BF5CB846B5BE985770D9D80AC5191764B0041EDF8432271
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0	data	2F6BB997FD2E326A5BBA37709986B17F	F0F1C8B3B50B1B0B74B9C137C3761BF23763870C	01F38D7684A5BE497D1AB19C954BBC641B4D0BB18F59A07EE14FE2F89C2E4EB1
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0	data	8F8E284399A3C4CAEB29BF6033B0E4CA	BF5C22998C8B0346DEC0F95CFB57861EC31D12E9	EE20292A9285CFA7B3DE1B28B303C798EC73E415C1925B02E6A029C3FA3F9C42
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0	data	BA906F3502DB77FDB33FFDF846683B72	C6512A55A493082989422EF9B86F8375ECB53472	DC1965981BAC7469337DD483732E9F782BFF3CC490A6151AA8EFB0ECD1C6A013
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0	data	8D55D63C5CCBDF76D54A3A7B6D0B2DD4	957F82EE76A16B889A5E24EEBAB3828324946918	EF5290A9633E5934007A8E556FB7A22465938D5C0BA493D70EC4A9638957F1AC
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0	data	88AD3D637A4C91DFA2C03F846E38F919	9068B8C973A9202209D90DCA60ACBC79B7943F3D	F20574E1CAD077A8DE728FEB5431A67D635A10BD1ADCA09EE2F7CC73AF5B6493
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0	data	BFB1E0BFD547650E0D8D2C598E14AAB1	11356D8D7377419AD0FC11A0B6E546037B9CA638	AC020FB74E120DCE276617FE93E184DF0170BB2F5CDCBCEFC4516B841C7BE548
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0	data	62FF3FEE75D6A47F2029EBD8410C365F	23CCB236A8B6C6D7F5B76D21C739D2F6E0DFA0A1	BA1DA14D79DD90839078685DB5061B5CA3D85740AC10E57611D8B7704B3680E4
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0	data	ACDAA9AB84DF748F3E332D8EB23FA2FD	078D843B39A851E5E3FE399E017BCC634AD26705	5C877B08292E9E402A0E64EA2E85AC5D82BF9A6BBB96DD0EAA0254A56B778267
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0	data	D0420A713C4C78DE127E5B6DF1F9A6DC	294EA17FD838BE667076B5A0933373A4B8ACC41E	DA54A544204AA54FC9C73FEC67C42518EB3E6E4764A1F211EF64BCA5F93F4632
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index	data	B891934DBE6EB934EB98792AE7607A9D	F779156AEC614CC860306DEA05F7EDF2CF149B86	7E74212BE3DEEC52C4BBF57A6883EC1FE28C22DFA0BF20A59829249EBE1B5913
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index (copy)	data	B891934DBE6EB934EB98792AE7607A9D	F779156AEC614CC860306DEA05F7EDF2CF149B86	7E74212BE3DEEC52C4BBF57A6883EC1FE28C22DFA0BF20A59829249EBE1B5913
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index~RF4cd3b9.TMP (copy)	data	B891934DBE6EB934EB98792AE7607A9D	F779156AEC614CC860306DEA05F7EDF2CF149B86	7E74212BE3DEEC52C4BBF57A6883EC1FE28C22DFA0BF20A59829249EBE1B5913
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	2E7001C32D3007C69E1C881132991D74	338148D453B6A9D517C67D0050824085F35DE07C	8A4B5C463EB52B3DA59E4E0110015640EF7B72BBB79BC35C7408F0451BF951F3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	2E7001C32D3007C69E1C881132991D74	338148D453B6A9D517C67D0050824085F35DE07C	8A4B5C463EB52B3DA59E4E0110015640EF7B72BBB79BC35C7408F0451BF951F3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF4c4c2a.TMP (copy)	ASCII text	2E7001C32D3007C69E1C881132991D74	338148D453B6A9D517C67D0050824085F35DE07C	8A4B5C463EB52B3DA59E4E0110015640EF7B72BBB79BC35C7408F0451BF951F3
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	data	E36F8F81D3C03F6AAF7D768706B7673F	EECE93F9E417717892E50F6A159516DD76C255B0	C6E687FF9677244574F37AD2877726DF64E5BAADDA2ABE8C4759BDE8344E44F2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-230105170223Z-212.bmp	PC bitmap, Windows 3.x format, 164 x -115 x 32, cbSize 75494, bits offset 54	D67CF064FC7C7ABA560E46285869AEEE	6D641177A756D9794095224A6B5B30FCE45BEEC8	924E28444D2BB3939F59D6C770E979CAA612C14F33097B31FBA6C513DF3494AE
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3024000, file counter 12, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 12	B15E8A8F33A5601830E856D5573DF225	A120DEB8D7DE2770921B5B26B9479D7BB124DBBE	F52C1FC60D6D4C9123ED057BBFC32FA46A56B5595E1C2241388913C7E01CCD21
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	A520C13D5593D1E7086D723EAB60B232	097223BD3549317F09FA926183CAC9960A2F8FF2	78F75B8E967FD72B85D045446DC89259E2EF6950156A6399FD044E7AB3230A97
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2008	PostScript document text	A2C6972A1A9506ACE991068D7AD37098	BF4D2684587CF034BCFC6F74CED551F9E5316440	0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)	PostScript document text	A2C6972A1A9506ACE991068D7AD37098	BF4D2684587CF034BCFC6F74CED551F9E5316440	0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
C:\Users\user\AppData\Local\Temp\unarchiver.log	ASCII text, with CRLF line terminators	8A8E8565CCAA246BA9B71598B7038E38	27578ACD6D50E313A3BA1F5DB05EF479F0F9CF8B	C783A44B81D1DEE63B86D0B1C036889E1DF5686A911785BBB9AC5F35AA32AFEC
C:\Users\user\Downloads\Cancellation_367461_Dec23.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	26097A602D65D1CC7E47D2A5E5D32895	78868EA9BD5CA1E5B591303C964C74CAC18F76EC	9D4DD3EFB6149DA52E080EC9E91F1E64C5D0656F488FA78DCD6CE638EE75BA0B
C:\Users\user\Downloads\Cancellation_367461_Dec23.zip.crdownload	Zip archive data, at least v2.0 to extract, compression method=deflate	26097A602D65D1CC7E47D2A5E5D32895	78868EA9BD5CA1E5B591303C964C74CAC18F76EC	9D4DD3EFB6149DA52E080EC9E91F1E64C5D0656F488FA78DCD6CE638EE75BA0B
C:\Users\user\Downloads\f1db83af-6dc2-44be-ad08-ad1b8f6a393d.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	D09E144A7ED978AF106E813070C6DC12	DD127F78FB8FE3C55876927E6BDA8A3D9FA64CD3	DFBDA2E1C8DFD9AB61E6E0522699E498499FBD6CAD02ABE3D90E51CACB2D2AC5

Windows Analysis Report
Cancellation_418406_Dec23.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Cancellation_418406_Dec23.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Cancellation_418406_Dec23.pdf