Edit tour

Windows Analysis Report
Cancellation_418406_Dec23.pdf

Overview

General Information

Sample Name:	Cancellation_418406_Dec23.pdf
Analysis ID:	778232
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
Infos:

Detection

Qbot Downloader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found potential malicious PDF (bad image similarity)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Qbot Downloader

Clickable URLs found in PDF pointing to potentially malicious files

Creates a DirectInput object (often for capturing keystrokes)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

AcroRd32.exe (PID: 2156 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)

RdrCEF.exe (PID: 5448 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)

chrome.exe (PID: 7152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

chrome.exe (PID: 2364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)

unarchiver.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 5296 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Qbot Downloader

{"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Cancellation_418406_Dec23.pdf	JoeSecurity_QbotDownloader	Yara detected Qbot Downloader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Virustotal: Detection: 15%

Perma Link

Source: Cancellation_418406_Dec23.pdf

Malware Configuration Extractor: Qbot Downloader {"Download Url": "http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip"}

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Spreading

Yara detected Qbot Downloader

Source: Yara match

File source: Cancellation_418406_Dec23.pdf, type: SAMPLE

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Jan 2023 08:03:45 GMTServer: ApacheX-Powered-By: PHP/8.1.13Connection: keep-alive, Keep-AliveAccept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="Cancellation_367461_Dec23.zip"Upgrade: h2,h2cConnection: UpgradeContent-Length: 801520Vary: Accept-EncodingKeep-Alive: timeout=5Content-Type: application/zipData Raw: 50 4b 03 04 14 00 01 00 08 00 02 9c 97 55 e0 d4 f8 ae 42 3a 0c 00 00 d0 6a 06 14 00 00 00 43 61 6e 63 65 6c 6c 61 74 69 6f 6e 23 4a 35 38 2e 69 73 6f 79 61 b4 0c 99 42 96 64 6f 83 91 a6 87 9a e5 3b a7 9b fa 5c ce db 83 0b 04 d9 b6 6c 6b c0 29 f7 77 06 99 5d 89 d8 25 f7 83 d0 e7 99 b5 61 ec 80 11 0d 3f ab ff b3 1e 8a da 89 07 00 17 6a ec e6 29 66 86 ed bf 05 74 c7 c4 7c 06 90 e2 b0 2d 93 97 cf c9 70 ab d3 95 5b b2 ed 34 37 cb cb 9b c8 3a fb be 6c 97 18 a2 80 38 1b 2f 9a 5a 49 9d 4c 08 51 38 eb d6 d9 76 b8 dd 45 e0 a7 da c5 f3 68 1d 93 e1 36 73 17 47 c3 84 d1 50 b0 20 e0 0f 2f 1c ba ad 94 8c d5 01 a0 44 c8 57 38 0e b7 40 e6 67 9d e3 e4 b7 ef 2d a6 da d8 4d ff be 7d a9 a8 68 55 a3 aa 40 fb 32 c8 a1 2b 79 c1 e4 f5 44 28 a9 e8 6d 90 d7 2c f8 a6 a7 d3 f7 4d cd 5c 12 87 6b 1c a6 df da 6c f4 db 85 6c 02 12 db 8a f5 b8 f3 5a 1e 09 34 9b f1 09 d4 31 61 ec dd 98 ce d0 fe 90 73 1d 8f ff 0f 0a 49 41 25 be 0a 11 13 3c 09 76 9f c6 c9 0c b8 42 55 a2 ef 6e 61 a6 e8 c0 f4 02 5a 7e fd c2 2f 48 3e 80 50 95 ce 2e f5 5a 93 67 db cd b2 29 e5 bb 9d 0e 62 e2 2c 31 ec 3a 10 92 44 3f 90 c3 4d 8d 78 1d 46 c1 7e f6 97 5a 08 bd 77 25 72 27 e9 80 65 ae d6 7a 71 36 ea b4 32 04 2e c4 39 00 76 fb 72 d4 40 ac 61 a6 37 85 ca f3 1f 0b a9 1c 0b 68 b6 46 50 87 c1 02 a6 5b 2c 19 53 aa 37 4e c9 91 6a 4f fa 5a 49 aa 28 55 28 fd 13 fb 29 bf 51 74 1d 23 18 cd 17 74 20 81 cf a2 6e 45 2e e2 71 c9 01 18 59 6f e6 8c 3c 09 1d 71 f9 92 87 c1 71 d9 40 fd e3 16 28 8a 86 ff 37 d4 e6 37 21 18 c0 7a 7f 44 37 e6 8d 17 12 6b 93 fb a5 8d 64 de 6d a5 1b fd 57 d9 4e 7d e0 56 b6 c1 76 c0 30 44 73 e9 a2 7f 4c 05 21 0a 60 55 17 f4 b7 da 7d ef 80 22 eb f8 df f2 e7 c0 f3 e9 96 5c 9a 67 ea 0a 27 b1 9a 56 9e 23 db 96 6d 10 a6 9b 6b e5 a2 e2 59 36 2b 26 9e 1b 69 9c d3 38 14 c6 36 f0 da 48 f3 79 40 c9 e2 7f dd 9d bf 3a 3a 05 47 80 07 34 e3 74 1e e4 0f 97 7b ae 19 c5 d9 68 9b df 3b 64 53 bf 69 af 0c bf 9c 9c 6a 36 18 67 ab 81 08 7b 42 6c 0d cd e1 62 60 11 a4 a7 21 23 a0 4f 6c 40 f5 7b 11 1d f0 76 5f 7a 8a 5b 2e 65 7f 21 1e 86 b6 19 54 57 b5 41 94 5b 90 8f 16 50 60 ae 7f a4 92 dc 2b a4 67 ad 6b 9b f2 05 9a 3a 94 ae 2a 89 78 68 9f 8f 8b 31 27 07 e4 b4 13 7c 80 cb e7 c5 e5 bc 7e 3a d7 60 11 c2 bb 12 ee 5f ae 4e 7c c3 36 be 22 ef 58 5e 4e 59 bc 23 d8 61 55 c7 14 7b 70 a5 9a 09 2f 7a 5a 22 0a 39 e9 6f 02 5c 47 49 f9 11 04 ee 58 0a 0c 64 04 62 b0 2a 4b fe 40 3b e6 05 50 d4 d2 46 2f 6a 7b c3 7d 4e 3f c6 78 fd 9d e9 5c 21 0e bb 7c 04 d4 81 ae 3e 1b 54 21 f5 63 74 70 ea 32 40 2d cb f0 cc 61 55 09 d1 aa 35 53 1a a1 6e 94 69 e8 c9 0f e8 15 17 07 f8 16 aa 7d 01 ad bb 78 51 d2 f8 0d 0d 25 d2

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: Cancellation_418406_Dec23.pdf

String found in binary or memory: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o

Source: unknown

DNS traffic detected: queries for: agapeministriesinternational.church

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blog/Cancellation_367461_Dec23.zip HTTP/1.1Host: agapeministriesinternational.churchConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unarchiver.exe, 0000000F.00000002.606287284.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Found potential malicious PDF (bad image similarity)

Source: Cancellation_418406_Dec23.pdf

Static PDF information: Image stream: 6

Clickable URLs found in PDF pointing to potentially malicious files

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\Fonts\ariblk.ttf

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/cancellation_367461_dec23.zip
Source: Cancellation_418406_Dec23.pdf	Initial sample: http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx

Jump to behavior

Source: classification engine

Classification label: mal76.spre.winPDF@38/57@5/7

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\GoogleUpdater

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JS count = 0
Source: Cancellation_418406_Dec23.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Cancellation_418406_Dec23.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep count: 119 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6500	Thread sleep time: -59500s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 15_2_00F0B1D6 GetSystemInfo,

15_2_00F0B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Spearphishing Link	Windows Management Instrumentation	Path Interception	11 Process Injection	3 Masquerading	1 Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
agapeministriesinternational.church	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	100%	Avira URL Cloud	malware
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)	0%	Avira URL Cloud	safe
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
agapeministriesinternational.church	50.62.149.105	true	true	3%, Virustotal, Browse	unknown
accounts.google.com	142.251.209.13	true	false		high
www.google.com	142.250.184.36	true	false		high
clients.l.google.com	142.250.184.78	true	false		high
clients2.google.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip)	Cancellation_418406_Dec23.pdf	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
50.62.149.105	agapeministriesinternational.church	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
142.250.184.78	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.209.13	accounts.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	778232
Start date and time:	2023-01-05 09:01:23 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Cancellation_418406_Dec23.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.spre.winPDF@38/57@5/7
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document Find and activate links Security Warning found Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.21.22.155, 2.21.22.179, 23.211.4.250, 142.250.184.35, 34.104.35.123, 142.250.184.67
Excluded domains from analysis (whitelisted): ssl.adobe.com.edgekey.net, fs.microsoft.com, armmf.adobe.com, edgedl.me.gvt1.com, acroipm2.adobe.com.edgesuite.net, e4578.dscb.akamaiedge.net, a122.dscd.akamai.net, update.googleapis.com, clientservices.googleapis.com, acroipm2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:02:21	API Interceptor	1x Sleep call for process: RdrCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
50.62.149.105	swift copy$48,400.exe	Get hash	malicious	Browse	www.myeramd.com/hq0b/?FvW8X=PPbHunsP3xKlC8&A2=FEn4sz1CWpi2cWl1wcENQWyyn446hRlJFbqqf0jkHBurpevR/ONYOzyuSCpQG4EC96N+
239.255.255.250	http://sg.lightrdr.best/	Get hash	malicious	Browse
	http://au-redelivery-fees.com	Get hash	malicious	Browse
	https://taxes.rpacx.com	Get hash	malicious	Browse
	http://www.farmandcity.co.zw	Get hash	malicious	Browse
	https://app.uizard.io/p/78d796e3	Get hash	malicious	Browse
	https://taxes.rpacx.com/eutirtovoqnurkallc6gpwakepm88ohmjmo+ckkwgqbz5ooqf7zou0z7pjke7dw1	Get hash	malicious	Browse
	http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https://mf606g.codesandbox.io/?dg=YWNjb3VudHNwYXlhYmxlQHBsYXRlYXV0ZWwuY29t	Get hash	malicious	Browse
	wescom Sharedscanned documents .HTMl.HTm	Get hash	malicious	Browse
	https://www.bing.com/ck/a?!&&p=c9c2566e4ab710b4JmltdHM9MTY3Mjc5MDQwMCZpZ3VpZD0xZGI0MmQwZi0yMjEwLTZhMjQtMzZhNC0zZjgwMjNlZDZiOGMmaW5zaWQ9NTE2NA&ptn=3&hsh=3&fclid=1db42d0f-2210-6a24-36a4-3f8023ed6b8c&u=a1aHR0cHM6Ly9jcmVhdGl2ZW1lZGlhc29sdXRpb25zLm9yZy8&ntb=1?qw=m.temnyk@gms-worldwide.com	Get hash	malicious	Browse
	http://object.fm	Get hash	malicious	Browse
	http://watch-online.49n7wqynho5u.top	Get hash	malicious	Browse
	malicious-attachement.html	Get hash	malicious	Browse
	Remittance01042023000128912838383.html	Get hash	malicious	Browse
	fsbwa Sharedscanned documents .HTMl.HTm.htm	Get hash	malicious	Browse
	http://r.kansasupdatesinc.com/tr/cl/-QiVUVSiXNevuU5j0YBr07D8r0GJPslw7tR4LhBAYAzhuo4GwluGG2j0Yr-xQaeuBF4g7wletcwoHb7PAt5U-4GfBeiNbMTHtyU7xesSaDGRU2-dvQszXGmuQT-cReuJp5mlkr9_yUyIcXqr2zS4UML88OY46likHFJs6b-CAlJztHWdfk6dXkhWyc7YA-3Jl8FIcS5MU6WD8zAtQc2rgdXtciRvXNpLlrWaaBrPiwfvk06RLfE	Get hash	malicious	Browse
	transmountain cyril_jenkins alex.correa.html	Get hash	malicious	Browse
	https://kampuskonnekt49.com/cdn/notify/regotransport	Get hash	malicious	Browse
	transmountain cyril_jenkins alex.correa.html	Get hash	malicious	Browse
	Scanned3345609.hTml	Get hash	malicious	Browse
	http://pogothere.xyz	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	Copy_Company-profile.vbe	Get hash	malicious	Browse	173.201.193.229
	http://object.fm	Get hash	malicious	Browse	184.168.104.171
	university of kentucky indirect cost rate agreement 5564.js	Get hash	malicious	Browse	23.229.209.229
	payload.dll.exe	Get hash	malicious	Browse	166.62.88.163
	ANSFXTL55060.vbs	Get hash	malicious	Browse	72.167.39.20
	jAqT1F0Fpy.exe	Get hash	malicious	Browse	107.180.4.94
	sSB5yHCWJg.elf	Get hash	malicious	Browse	192.186.201.160
	40090300098393.exe	Get hash	malicious	Browse	184.168.101.66
	40090300098393.exe	Get hash	malicious	Browse	184.168.101.66
	MYorfmVq9Z.exe	Get hash	malicious	Browse	192.169.149.78
	qqt.exe	Get hash	malicious	Browse	184.168.111.40
	qqt.exe	Get hash	malicious	Browse	184.168.111.40
	SETjGyH4X8.elf	Get hash	malicious	Browse	97.74.248.66
	file.exe	Get hash	malicious	Browse	107.180.98.101
	file.exe	Get hash	malicious	Browse	107.180.98.101
	file.exe	Get hash	malicious	Browse	107.180.98.101
	lCVLEXbxih.exe	Get hash	malicious	Browse	107.180.98.101
	remotesecurity1.apk	Get hash	malicious	Browse	43.255.154.97
	tochi8890.exe	Get hash	malicious	Browse	68.178.145.252
	DHL Original BL, PL, CI Copies.htm.exe	Get hash	malicious	Browse	72.167.125.133

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.621995976318026
Encrypted:	false
SSDEEP:	3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVlfl/1lQRktyrVNBiTFJrqzOJkvP5m1:men9YOFLvEWdM9QKftvPtYvi7Z+P41
MD5:	05A8ED13DB8ACF9593227A84C5C6FF47
SHA1:	6414B2E11A5C6EDA3AEDDF90585DC7AB6AA8817E
SHA-256:	6AD07D48B525B5EBE2DE9B7C4A074C01C366CCDD01080F8F65C378B8089C4227
SHA-512:	A392B1984BB041DB20B9AC85C423966E8D67F40D5774D82B9313626CB5F428454BD88C77D5CC82CC6DE18DC7EDB1BE95C6DAF387C92F19AB2AA799C613B4AEE4
Malicious:	false
Reputation:	low
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ..mQ..P/....."#.D5.3....A.A..Eo......KX..............d.{v.^.G...d.W.:...P..k%..A..Eo..................

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	5.0863149791147855
Encrypted:	false
SSDEEP:	48:zFJbGYGbYGYGpiGbfGYGp3FkGbeG0FkGQGNGYGYGmHGYGNGYGmbP1+EEEEEEEEEY:x8MjKU9Q
MD5:	8A8E8565CCAA246BA9B71598B7038E38
SHA1:	27578ACD6D50E313A3BA1F5DB05EF479F0F9CF8B
SHA-256:	C783A44B81D1DEE63B86D0B1C036889E1DF5686A911785BBB9AC5F35AA32AFEC
SHA-512:	E7DBC97A56628ED6CA7F5B456AC31C1BC6C79DBF8ECF1B1D3E375F3C197FE2B4F8CC6476B2453A4D9551186EAAF83395A4E628FFA171130E724A0E4A79AF20CC
Malicious:	false
Preview:	01/05/2023 9:03 AM: Unpack: C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: Scanning the drive for archives:..01/05/2023 9:03 AM: Received from standard out: 1 file, 801520 bytes (783 KiB)..01/05/2023 9:03 AM: Received from standard out: ..01/05/2023 9:03 AM: Received from standard out: Extracting archive: C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Received from standard out: --..01/05/2023 9:03 AM: Received from standard out: Path = C:\Users\user\Downloads\Cancellation_367461_Dec23.zip..01/05/2023 9:03 AM: Received from standard out: Type = zip..01/05/2023 9:03 AM: Received from standard out: Physical Size

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	801520
Entropy (8bit):	7.999770193882168
Encrypted:	true
SSDEEP:	24576:wlDW7aQ9CEKLN0rvLPFMDcebEvbm37vcYep11QJ/6dP/z:MDWtKZ0+DczS3TcYefQJ/uP/z
MD5:	26097A602D65D1CC7E47D2A5E5D32895
SHA1:	78868EA9BD5CA1E5B591303C964C74CAC18F76EC
SHA-256:	9D4DD3EFB6149DA52E080EC9E91F1E64C5D0656F488FA78DCD6CE638EE75BA0B
SHA-512:	6BFD8ECCB1C7CE62B06F54728781ECC100389E129A98D831F3FE20DD79BD65CDDE2D91764993624161F906936672A0839790FEBAF86019B8A10BDC26D83D2DF1
Malicious:	false
Preview:	PK...........U....B:....j.....Cancellation#J58.isoya...B.do......;...\.....lk.).w..]..%....a...?.........j..)f...t..\|...-....p..[..47...:..l....8./.ZI.L.Q8...v..E....h...6s.G..P. ../........D.W8..@.g....-...M..}..hU..@.2.+y...D(..m..,.....M.\..k....l..l......Z..4....1a......s.....IA%....<.v.....BU..na.....Z~../H>.P....Z.g..)..b.,1.:..D?..M.x.F.~..Z..w%r'.e..zq6.2...9.v.r.@.a.7........h.FP....[,.S.7N.jO.ZI.(U(...).Qt.#...t ..nE..q...Yo.<..q....q.@...(...7..7!..z.D7...k....d.m...W.N}.V..v.0Ds..L.!.`U....}."........\.g..'..V.#.m...k..Y6+&..i..8..6..H.y@.....::.G..4.t....{....h..;dS.i.....j6.g...{Bl...b`...!#.Ol@.{...v_z.[.e.!....TW.A.[...P`.....+.g.k....:...xh...1'...\|.....~:.`...._.N\|.6.".X^NY.#.aU..{p.../zZ".9.o.\GI....X..d.b.K.@;..P..F/j{.}N?.x...\!..\|...>.T!.ctp.2@-...aU..5S..n.i..........}...xQ....%.x....i...1...~...!....>.GU.p....X.....w..%..../*......Z.;.wI...Ii.3...?Tddl'.D..uf.Io..@....7x...R.....).....U!...n..1.x#I7.M....]......N.&..

File type:	PDF document, version 1.3, 1 pages
Entropy (8bit):	7.795798037764297
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	Cancellation_418406_Dec23.pdf
File size:	186639
MD5:	c085bbddc02251986f1fd8b84c5a404e
SHA1:	98d3377ff32441e24baa96f1d0fd83190e274c22
SHA256:	ca2d98108f12fb407cb0e1778febc9ff453ebbd8888e3b184cb8b9993775b5d8
SHA512:	02fef8a38f843cec18a6ca0e80cbb1ee23659534bab963d7ef0e8b522c2de1787666bfa4970c4d34d701ec4f652ba8bc583adca517fe5679e9d985bd2a3da59c
SSDEEP:	3072:fQcfk8aPgtSyiVLFkckuQMPhB20K8HR9hYDdfddlRCFwfkFPWN50kNSFHFUmV8N1:W8nwhFkZuvPDiYqdfddlVjbr03UmVruv
TLSH:	3504E0CCB13B76BFE8B77BB3A562835D374F6525732E6687088992A4C301F42D4510AE
File Content Preview:	%PDF-1.3.3 0 obj.<</Type /Page./Parent 1 0 R./Resources 2 0 R./Annots [5 0 R ]./Contents 4 0 R>>.endobj.4 0 obj.<</Filter /FlateDecode /Length 59>>.stream.x.3R..2.35W(.*T.01.32U0.BSKS=S C..@A.@..H!9WA..P.%_!... 4...endstream.endobj.5 0 obj.<</Type /Annot

General
Header:	%PDF-1.3
Total Entropy:	7.795798
Total Bytes:	186639
Stream Entropy:	7.794817
Stream Bytes:	185459
Entropy outside Streams:	5.173523
Bytes outside Streams:	1180
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	8
endobj	8
stream	2
endstream	2
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2023 09:03:31.990242004 CET	57840	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:32.011425972 CET	53	57840	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.622262001 CET	60625	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.626640081 CET	49302	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.626899958 CET	53975	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:45.643832922 CET	53	60625	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.645402908 CET	53	53975	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:45.652929068 CET	53	49302	8.8.8.8	192.168.2.3
Jan 5, 2023 09:03:48.831399918 CET	60582	53	192.168.2.3	8.8.8.8
Jan 5, 2023 09:03:48.851125956 CET	53	60582	8.8.8.8	192.168.2.3

Timestamp	kBytes transferred	Direction	Data
Jan 5, 2023 09:03:45.823719978 CET	114	OUT	GET /blog/Cancellation_367461_Dec23.zip HTTP/1.1 Host: agapeministriesinternational.church Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Jan 5, 2023 09:03:48.063569069 CET	453	IN	HTTP/1.1 200 OK Date: Thu, 05 Jan 2023 08:03:45 GMT Server: Apache X-Powered-By: PHP/8.1.13 Connection: keep-alive, Keep-Alive Accept-Ranges: bytes Expires: 0 Cache-Control: no-cache, no-store, must-revalidate Content-Disposition: attachment; filename="Cancellation_367461_Dec23.zip" Upgrade: h2,h2c Connection: Upgrade Content-Length: 801520 Vary: Accept-Encoding Keep-Alive: timeout=5 Content-Type: application/zip Data Raw: 50 4b 03 04 14 00 01 00 08 00 02 9c 97 55 e0 d4 f8 ae 42 3a 0c 00 00 d0 6a 06 14 00 00 00 43 61 6e 63 65 6c 6c 61 74 69 6f 6e 23 4a 35 38 2e 69 73 6f 79 61 b4 0c 99 42 96 64 6f 83 91 a6 87 9a e5 3b a7 9b fa 5c ce db 83 0b 04 d9 b6 6c 6b c0 29 f7 77 06 99 5d 89 d8 25 f7 83 d0 e7 99 b5 61 ec 80 11 0d 3f ab ff b3 1e 8a da 89 07 00 17 6a ec e6 29 66 86 ed bf 05 74 c7 c4 7c 06 90 e2 b0 2d 93 97 cf c9 70 ab d3 95 5b b2 ed 34 37 cb cb 9b c8 3a fb be 6c 97 18 a2 80 38 1b 2f 9a 5a 49 9d 4c 08 51 38 eb d6 d9 76 b8 dd 45 e0 a7 da c5 f3 68 1d 93 e1 36 73 17 47 c3 84 d1 50 b0 20 e0 0f 2f 1c ba ad 94 8c d5 01 a0 44 c8 57 38 0e b7 40 e6 67 9d e3 e4 b7 ef 2d a6 da d8 4d ff be 7d a9 a8 68 55 a3 aa 40 fb 32 c8 a1 2b 79 c1 e4 f5 44 28 a9 e8 6d 90 d7 2c f8 a6 a7 d3 f7 4d cd 5c 12 87 6b 1c a6 df da 6c f4 db 85 6c 02 12 db 8a f5 b8 f3 5a 1e 09 34 9b f1 09 d4 31 61 ec dd 98 ce d0 fe 90 73 1d 8f ff 0f 0a 49 41 25 be 0a 11 13 3c 09 76 9f c6 c9 0c b8 42 55 a2 ef 6e 61 a6 e8 c0 f4 02 5a 7e fd c2 2f 48 3e 80 50 95 ce 2e f5 5a 93 67 db cd b2 29 e5 bb 9d 0e 62 e2 2c 31 ec 3a 10 92 44 3f 90 c3 4d 8d 78 1d 46 c1 7e f6 97 5a 08 bd 77 25 72 27 e9 80 65 ae d6 7a 71 36 ea b4 32 04 2e c4 39 00 76 fb 72 d4 40 ac 61 a6 37 85 ca f3 1f 0b a9 1c 0b 68 b6 46 50 87 c1 02 a6 5b 2c 19 53 aa 37 4e c9 91 6a 4f fa 5a 49 aa 28 55 28 fd 13 fb 29 bf 51 74 1d 23 18 cd 17 74 20 81 cf a2 6e 45 2e e2 71 c9 01 18 59 6f e6 8c 3c 09 1d 71 f9 92 87 c1 71 d9 40 fd e3 16 28 8a 86 ff 37 d4 e6 37 21 18 c0 7a 7f 44 37 e6 8d 17 12 6b 93 fb a5 8d 64 de 6d a5 1b fd 57 d9 4e 7d e0 56 b6 c1 76 c0 30 44 73 e9 a2 7f 4c 05 21 0a 60 55 17 f4 b7 da 7d ef 80 22 eb f8 df f2 e7 c0 f3 e9 96 5c 9a 67 ea 0a 27 b1 9a 56 9e 23 db 96 6d 10 a6 9b 6b e5 a2 e2 59 36 2b 26 9e 1b 69 9c d3 38 14 c6 36 f0 da 48 f3 79 40 c9 e2 7f dd 9d bf 3a 3a 05 47 80 07 34 e3 74 1e e4 0f 97 7b ae 19 c5 d9 68 9b df 3b 64 53 bf 69 af 0c bf 9c 9c 6a 36 18 67 ab 81 08 7b 42 6c 0d cd e1 62 60 11 a4 a7 21 23 a0 4f 6c 40 f5 7b 11 1d f0 76 5f 7a 8a 5b 2e 65 7f 21 1e 86 b6 19 54 57 b5 41 94 5b 90 8f 16 50 60 ae 7f a4 92 dc 2b a4 67 ad 6b 9b f2 05 9a 3a 94 ae 2a 89 78 68 9f 8f 8b 31 27 07 e4 b4 13 7c 80 cb e7 c5 e5 bc 7e 3a d7 60 11 c2 bb 12 ee 5f ae 4e 7c c3 36 be 22 ef 58 5e 4e 59 bc 23 d8 61 55 c7 14 7b 70 a5 9a 09 2f 7a 5a 22 0a 39 e9 6f 02 5c 47 49 f9 11 04 ee 58 0a 0c 64 04 62 b0 2a 4b fe 40 3b e6 05 50 d4 d2 46 2f 6a 7b c3 7d 4e 3f c6 78 fd 9d e9 5c 21 0e bb 7c 04 d4 81 ae 3e 1b 54 21 f5 63 74 70 ea 32 40 2d cb f0 cc 61 55 09 d1 aa 35 53 1a a1 6e 94 69 e8 c9 0f e8 15 17 07 f8 16 aa 7d 01 ad bb 78 51 d2 f8 0d 0d 25 d2 Data Ascii: PKUB:jCancellation#J58.isoyaBdo;\lk)w]%a?j)ft\|-p[47:l8/ZILQ8vEh6sGP /DW8@g-M}hU@2+yD(m,M\kllZ41asIA%<vBUnaZ~/H>P.Zg)b,1:D?MxF~Zw%r'ezq62.9vr@a7hFP[,S7NjOZI(U()Qt#t nE.qYo<qq@(77!zD7kdmWN}Vv0DsL!`U}"\g'V#mkY6+&i86Hy@::G4t{h;dSij6g{Blb`!#Ol@{v_z[.e!TWA[P`+gk:xh1'\|~:`_N\|6"X^NY#aU{p/zZ"9o\GIXdbK@;PF/j{}N?x\!\|>T!ctp2@-aU5Sni}xQ%
Jan 5, 2023 09:03:48.063642025 CET	454	IN	Data Raw: 81 78 f7 ff 0b 0e 69 e2 8e f0 2e 31 09 15 eb 7e b9 86 d4 21 e2 18 b1 95 3e cd 47 55 90 70 c3 fb d4 03 58 bd ae 0f b9 0d 77 00 88 25 da 03 9c e2 2f 2a 94 f5 17 84 b0 e4 5a 80 3b d1 77 49 f7 8e 99 49 69 ac 33 c5 e5 c0 3f 54 64 64 6c 27 e8 44 e3 98 Data Ascii: xi.1~!>GUpXw%/*Z;wIIi3?Tddl'DufIo@7xR.)U!n1x#I7M]N&e}cu2f^)@60\!&Rw~U\D@<rN`9uR}lPy
Jan 5, 2023 09:03:48.063687086 CET	456	IN	Data Raw: 78 63 5d 55 e4 ed e8 ea 7d e4 d1 2b 1a 95 52 2d 15 fd 62 0b 4a 5b be 3b 85 94 a6 e9 76 16 58 da ed 23 f1 70 dc 96 5a fc f2 01 7f 86 26 ae 18 41 cb 6f 61 1e 8b b8 22 d3 f0 ef 5c 89 05 79 c5 e9 20 d9 ad 17 17 8c 72 e8 92 c4 b9 f9 c1 c2 c3 21 1a 4a Data Ascii: xc]U}+R-bJ[;vX#pZ&Aoa"\y r!J.W\|'RXR9\U6;Bh\(k!,VP_54;q"]d+nJ""Ou>\|U/~k47^#Vn?,TeWb>54> lu*;^.n(U
Jan 5, 2023 09:03:48.063714027 CET	457	IN	Data Raw: 2c 85 c7 67 55 89 71 d7 11 f6 c4 d7 04 ea 28 d6 1f d0 1c 1d 47 26 2c 9c 44 b3 b9 16 af be e5 8a da 17 1a 89 cc 18 e4 e4 76 e4 39 e7 7d 86 b0 89 dc e6 15 e1 a6 ab 0e 32 96 37 50 b1 29 6e ed 74 c6 49 8a 73 7e 56 67 98 2d 42 4f a4 b0 1d e9 78 80 16 Data Ascii: ,gUq(G&,Dv9}27P)ntIs~Vg-BOxk6s!)=\|jhMsFs\O[;_C%!\c\A\|oKJ{q?haLEm@#UX&~{aXYzPyK2Xm:\|
Jan 5, 2023 09:03:48.063755989 CET	458	IN	Data Raw: a8 3a 85 fd 50 e7 80 dc 2c 40 83 3f c8 0d 76 b5 68 90 4b e4 53 13 83 9d 7a 28 03 ad 11 de c8 53 6d e0 11 46 52 df a6 4d 87 ee d7 12 3e ee 0b 9f f9 44 c9 a7 5b 77 7d 5a f9 1e 87 c5 f7 2d b2 3a f2 f3 cb b2 a6 76 a3 15 24 cb 9f 3a 6b 98 76 e1 a8 d8 Data Ascii: :P,@?vhKSz(SmFRM>D[w}Z-:v$:kvv%0xc$+T8J!v#Fa>V(;Gi/jZ91IX73zAk\;BJS>DQn Va\huPi@ -?_0)ns/kcZu
Jan 5, 2023 09:03:48.063781023 CET	460	IN	Data Raw: 0d c1 68 79 20 ca 55 af 7e e6 84 9f 93 e3 cd e7 ef 3b dc 37 5e fb 3f f8 b8 5b b8 e9 2f 85 29 88 ae 99 21 3b 5d 6f a9 9a 2a bc e2 60 f9 45 5b 39 ce 06 86 b2 52 aa 52 d5 b5 26 c5 02 3b 28 aa e4 36 ca 0b 01 8b 85 eb 45 4e 33 c1 d7 1e 0a 51 25 6c c3 Data Ascii: hy U~;7^?[/)!;]o`E[9RR&;(6EN3Q%lV?y.'AX6Y#kbErE[+NcL}~OTZ#3Ms6vD%/C6@+bco8!3 < iZV1!G: \|j',5l0WDZ
Jan 5, 2023 09:03:48.063807964 CET	461	IN	Data Raw: c2 10 0d 01 c6 d8 b7 f6 f8 50 67 a0 5f 11 0f ce 02 34 24 72 b7 45 28 cf 78 60 12 9b 10 10 2f 1e ac fc e5 ab cd c0 aa 46 d0 e3 8b ee 64 86 ff 6e c7 41 11 53 f5 56 54 4e 0d 33 69 26 97 c3 5e 07 2b b3 cb bd bf a7 80 43 15 a6 63 79 95 ac dc 94 d7 9e Data Ascii: Pg_4$rE(x`/FdnASVTN3i&^+Ccy:tJ'gu6O56VpZz@mITuNZ<\|pX@MeGyA]Tj^,W\|my-b[$d0%Sl);VIC:g
Jan 5, 2023 09:03:48.063849926 CET	462	IN	Data Raw: b8 1e 30 da 3b 68 ee 22 70 cb e4 67 2d f7 1a ba d3 f4 a5 ce 16 24 69 53 7f 1a a5 24 9d d4 0e d9 26 4d c3 e9 64 d1 c4 ba b2 ff 3d 77 50 be 08 47 82 39 7d 31 41 23 17 92 ae 61 ac 8d 87 dd a1 5b 04 52 b0 da 34 0a f9 67 a6 59 e8 11 55 cd 0c 4d f0 41 Data Ascii: 0;h"pg-$iS$&Md=wPG9}1A#a[R4gYUMA}pWRNCAS`e8C\|q:p>bc'p!LhM~WF>fKl'Nu E\| v\|G!Am./-x4*2R%=\|EGhf^m
Jan 5, 2023 09:03:48.063875914 CET	464	IN	Data Raw: db 28 89 b2 e8 a8 ed b2 ce 36 ba 62 b4 ba ba d4 0f a6 fb 7a b1 51 01 b6 da 10 25 52 65 63 7d 95 10 5c 5c a9 d1 9f 84 03 09 a6 b1 37 0f be c9 9e 2a 74 76 ea 4a 21 b9 9d d9 1e ba 01 fd 34 e5 4c 61 d5 73 40 9a 18 16 2e 53 53 23 4b e4 f4 cc b3 f2 5a Data Ascii: (6bzQ%Rec}\\7*tvJ!4Las@.SS#KZ]H=P!)#APd,N:S"f?d-N4UKYqKW}@iXpufd?aoPpV6l{Zq'SR.[y"F{N4,DJjxz
Jan 5, 2023 09:03:48.063901901 CET	465	IN	Data Raw: 0f ac 9d 71 ff 80 ab ee 1d 40 4b 56 f2 33 ab 0e 35 2c d8 7e 3f 7f f4 e4 0c 23 4f b7 82 7b 94 fe 77 88 1f af d7 3b 6d 84 16 56 5a 1c 94 2c 00 d9 be 1d c5 04 91 5a e6 db ad 16 7c b5 61 84 17 4f a1 7b dc c4 65 92 d1 f0 f0 3b b7 5a 22 09 2a b3 1e 4e Data Ascii: q@KV35,~?#O{w;mVZ,Z\|aO{e;Z"*N}/;-y/1\|z4/8!xN>]Sj9e%5{Shl!iyGsJqA>UprZ1Ur>9COU-&2dkX`,e9sD@
Jan 5, 2023 09:03:48.221364021 CET	466	IN	Data Raw: 4f 5f 02 1d b7 e5 f9 6a be ab c5 4a 36 c7 c0 e8 36 96 37 b1 07 9c c1 3f 9b 2f 63 eb 46 f6 85 58 f9 f1 ae bc ca c3 3e e6 e3 46 05 72 e4 09 37 54 8a 60 42 dc 69 c0 94 c5 aa 6c 38 8f a4 eb cc d1 44 5b 9a 9f c5 94 9f 09 1e dc 69 d7 96 ba 20 8c ff 61 Data Ascii: O_jJ667?/cFX>Fr7T`Bil8D[i a}zUuVVM5l.i1QZpd+4?ouk9<E g^Ht1-?m#O]Yvs;<N+".KB'6^7w!XH2N d

Timestamp	kBytes transferred	Direction	Data
2023-01-05 08:03:46 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: CONSENT=PENDING+904; AEC=AakniGO7HqlHWlnoY-P22_SwwnNSfVGxlF1NgK5nuj5WLe313NyJi16g7z4; SOCS=CAISHAgCEhJnd3NfMjAyMjA4MDgtMF9SQzEaAmVuIAEaBgiAvOuXBg; NID=511=nUT82hOv6CVwMNqDg-sTtCMJJ6SQ1v_cCpfCpf5nt8EolEbal01GWFyjG01tqWQgh9ciRU880J6nLd2gdbhAJs44PsHAZaVQAFIbrqe2FmFgjrAAK7W9Z8u5LDvwsuZRng98jP6E23SJ4fsPIs326YmnuCwa92dRRCcB6MNeI_o
2023-01-05 08:03:46 UTC	0	OUT	Data Raw: 20 Data Ascii:
2023-01-05 08:03:46 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 05 Jan 2023 08:03:46 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-mU63rdbSr_6YpDL-1XBu0A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version= Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-01-05 08:03:46 UTC	4	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2023-01-05 08:03:46 UTC	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-01-05 08:03:46 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-104.0.5112.81 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2023-01-05 08:03:46 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-Ne3Asu8cBNMm0vyF5cWgzA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 05 Jan 2023 08:03:46 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5848 X-Daystart: 226 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2023-01-05 08:03:46 UTC	2	IN	Data Raw: 32 63 37 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 38 34 38 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 32 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 20 73 Data Ascii: 2c7<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5848" elapsed_seconds="226"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname="" s
2023-01-05 08:03:46 UTC	2	IN	Data Raw: 6e 4d 76 4e 7a 49 30 51 55 46 58 4e 56 39 7a 54 32 52 76 64 55 77 79 4d 45 52 45 53 45 5a 47 56 6d 4a 6e 51 51 2f 31 2e 30 2e 30 2e 36 5f 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 Data Ascii: nMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="
2023-01-05 08:03:46 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:02:15
Start date:	05/01/2023
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Cancellation_418406_Dec23.pdf
Imagebase:	0xc40000
File size:	2571312 bytes
MD5 hash:	B969CF0C7B2C443A99034881E8C8740A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	11
Start time:	09:03:42
Start date:	05/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://agapeministriesinternational.church/blog/Cancellation_367461_Dec23.zip
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	14
Start time:	09:03:43
Start date:	05/01/2023
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1812,i,544507481073856773,15156316211615148029,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff614650000
File size:	2851656 bytes
MD5 hash:	0FEC2748F363150DC54C1CAFFB1A9408
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	15
Start time:	09:03:50
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Imagebase:	0x640000
File size:	12800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Target ID:	16
Start time:	09:03:51
Start date:	05/01/2023
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fgt4alc0.uhe" "C:\Users\user\Downloads\Cancellation_367461_Dec23.zip
Imagebase:	0x1220000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Tactics:	Initial Access
Data Sources:	DNS records, Detonation chamber, Email gateway, Mail server, Packet capture, SSL/TLS inspection, Web proxy
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cancellation_418406_Dec23.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Qbot Downloader

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0

Windows Analysis Report
Cancellation_418406_Dec23.pdf

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre