Windows Analysis Report
shelbycountytn.gov.pdf

Overview

General Information

Sample name:	shelbycountytn.gov.pdf
Analysis ID:	1529401
MD5:	0779d291915cc0af4f23301d02710919
SHA1:	6f567018caaa0d520ce9963141f5d2ca68b3aab9
SHA256:	d290fd552d9ad015aca30c12934dde1475a7ec9f5cb2f17f84f3a2ae5e3a1339
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected landing page (webpage, office document or email)

Phishing site detected (based on shot match)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTML page contains hidden javascript code

IP address seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

Classification

Signatures

Phishing

Phishing site detected (based on shot match)

Source: https://pjd.ctorombet.com/enRUG/	Matcher: Template: captcha matched
Source: https://pjd.ctorombet.com/enRUG/	Matcher: Template: captcha matched

HTML page contains hidden javascript code

Source: https://pjd.ctorombet.com/enRUG/

HTTP Parser: Base64 decoded: {"version":3,"sources":["/cfsetup_build/src/orchestrator/turnstile/templates/turnstile.scss","%3Cinput%20css%20SREF6k%3E"],"names":[],"mappings":"AAmCA,gBACI,GACI,uBClCN,CACF,CDqCA,kBACI,GACI,mBCnCN,CACF,CDsCA,iBACI,MAEI,cCrCN,CDwCE,IACI,mBCtCN,CACF,CDyCA...

Source: https://pjd.ctorombet.com/enRUG/

HTTP Parser: No favicon

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt

Jump to behavior

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.9.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.9.dr

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.18.94.41 104.18.94.41
Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14

Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.1.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: sets.json.9.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.9.dr	String found in binary or memory: https://24.hu
Source: shelbycountytn.gov.pdf	String found in binary or memory: https://PJD.ctorombet.com/enRUG/)
Source: sets.json.9.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.9.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.9.dr	String found in binary or memory: https://alice.tw
Source: sets.json.9.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.9.dr	String found in binary or memory: https://autobild.de
Source: sets.json.9.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.9.dr	String found in binary or memory: https://bild.de
Source: sets.json.9.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.9.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.9.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.9.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.9.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.9.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.9.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.9.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.9.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.9.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.9.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.9.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.9.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.9.dr	String found in binary or memory: https://chennien.com
Source: sets.json.9.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.9.dr	String found in binary or memory: https://clarosports.com
Source: manifest.json2.9.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: sets.json.9.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.9.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.9.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.9.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.9.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.9.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.9.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.9.dr	String found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.9.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.9.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.9.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.9.dr	String found in binary or memory: https://css-load.com
Source: sets.json.9.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.9.dr	String found in binary or memory: https://deere.com
Source: sets.json.9.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.9.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.9.dr	String found in binary or memory: https://drimer.io
Source: sets.json.9.dr	String found in binary or memory: https://drimer.travel
Source: LICENSE.txt.9.dr	String found in binary or memory: https://easylist.to/)
Source: sets.json.9.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.9.dr	String found in binary or memory: https://een.be
Source: sets.json.9.dr	String found in binary or memory: https://efront.com
Source: sets.json.9.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.9.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.9.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.9.dr	String found in binary or memory: https://ella.sv
Source: sets.json.9.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.9.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.9.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.9.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.9.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.9.dr	String found in binary or memory: https://finn.no
Source: sets.json.9.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.9.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.9.dr	String found in binary or memory: https://gettalkdesk.com
Source: LICENSE.txt.9.dr	String found in binary or memory: https://github.com/easylist)
Source: sets.json.9.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.9.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.9.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://grid.id
Source: sets.json.9.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.9.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.9.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.9.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.9.dr	String found in binary or memory: https://hapara.com
Source: sets.json.9.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1.global
Source: sets.json.9.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.9.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.9.dr	String found in binary or memory: https://hearty.app
Source: sets.json.9.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.9.dr	String found in binary or memory: https://hearty.me
Source: sets.json.9.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.9.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.9.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.9.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.9.dr	String found in binary or memory: https://hj.rs
Source: sets.json.9.dr	String found in binary or memory: https://hjck.com
Source: sets.json.9.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.9.dr	String found in binary or memory: https://html-load.com
Source: sets.json.9.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.9.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.9.dr	String found in binary or memory: https://img-load.com
Source: sets.json.9.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.9.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.9.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.9.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.9.dr	String found in binary or memory: https://interia.pl
Source: sets.json.9.dr	String found in binary or memory: https://intoday.in
Source: sets.json.9.dr	String found in binary or memory: https://iolam.it
Source: sets.json.9.dr	String found in binary or memory: https://ishares.com
Source: sets.json.9.dr	String found in binary or memory: https://jagran.com
Source: sets.json.9.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.9.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.9.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.9.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.9.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.9.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.9.dr	String found in binary or memory: https://kompas.com
Source: sets.json.9.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.9.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.9.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.9.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.9.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.9.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.9.dr	String found in binary or memory: https://libero.it
Source: sets.json.9.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.9.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.9.dr	String found in binary or memory: https://livechat.com
Source: sets.json.9.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.9.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.9.dr	String found in binary or memory: https://livemint.com
Source: sets.json.9.dr	String found in binary or memory: https://max.auto
Source: sets.json.9.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.9.dr	String found in binary or memory: https://meo.pt
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.9.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.9.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.9.dr	String found in binary or memory: https://money.pl
Source: sets.json.9.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.9.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.9.dr	String found in binary or memory: https://nacion.com
Source: sets.json.9.dr	String found in binary or memory: https://naukri.com
Source: sets.json.9.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.9.dr	String found in binary or memory: https://nien.co
Source: sets.json.9.dr	String found in binary or memory: https://nien.com
Source: sets.json.9.dr	String found in binary or memory: https://nien.org
Source: sets.json.9.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.9.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.9.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.9.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.9.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.9.dr	String found in binary or memory: https://o2.pl
Source: sets.json.9.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.9.dr	String found in binary or memory: https://onet.pl
Source: sets.json.9.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.9.dr	String found in binary or memory: https://p106.net
Source: sets.json.9.dr	String found in binary or memory: https://p24.hu
Source: sets.json.9.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.9.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.9.dr	String found in binary or memory: https://player.pl
Source: sets.json.9.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.9.dr	String found in binary or memory: https://poalim.site
Source: sets.json.9.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.9.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.9.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.9.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.9.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.9.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.9.dr	String found in binary or memory: https://radio1.be
Source: sets.json.9.dr	String found in binary or memory: https://radio2.be
Source: sets.json.9.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.9.dr	String found in binary or memory: https://repid.org
Source: sets.json.9.dr	String found in binary or memory: https://reshim.org
Source: sets.json.9.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.9.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.9.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.9.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.9.dr	String found in binary or memory: https://samayam.com
Source: sets.json.9.dr	String found in binary or memory: https://sapo.io
Source: sets.json.9.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.9.dr	String found in binary or memory: https://shock.co
Source: sets.json.9.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.9.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.9.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.9.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.9.dr	String found in binary or memory: https://songshare.com
Source: sets.json.9.dr	String found in binary or memory: https://songstats.com
Source: sets.json.9.dr	String found in binary or memory: https://sporza.be
Source: sets.json.9.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.9.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.9.dr	String found in binary or memory: https://stripe.com
Source: sets.json.9.dr	String found in binary or memory: https://stripe.network
Source: sets.json.9.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.9.dr	String found in binary or memory: https://supereva.it
Source: sets.json.9.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.9.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.9.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.9.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.9.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.9.dr	String found in binary or memory: https://text.com
Source: sets.json.9.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.9.dr	String found in binary or memory: https://the42.ie
Source: sets.json.9.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.9.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.9.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.9.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.9.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.9.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.9.dr	String found in binary or memory: https://top.pl
Source: sets.json.9.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.9.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://tvid.in
Source: sets.json.9.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.9.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.9.dr	String found in binary or memory: https://unotv.com
Source: sets.json.9.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.9.dr	String found in binary or memory: https://vrt.be
Source: sets.json.9.dr	String found in binary or memory: https://vwo.com
Source: sets.json.9.dr	String found in binary or memory: https://welt.de
Source: sets.json.9.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.9.dr	String found in binary or memory: https://wildix.com
Source: sets.json.9.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.9.dr	String found in binary or memory: https://wingify.com
Source: sets.json.9.dr	String found in binary or memory: https://wordle.at
Source: sets.json.9.dr	String found in binary or memory: https://wp.pl
Source: sets.json.9.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.9.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.9.dr	String found in binary or memory: https://ya.ru
Source: sets.json.9.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://zalo.me
Source: sets.json.9.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.9.dr	String found in binary or memory: https://zingmp3.vn

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\ssl_error_assistant.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\download_file_types.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.fingerprint	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_4828_938150558

Jump to behavior

PE file contains more sections than normal

Source: Google.Widevine.CDM.dll.9.dr	Static PE information: Number of sections : 12 > 10
Source: widevinecdm.dll.9.dr	Static PE information: Number of sections : 13 > 10

Source: classification engine

Classification label: mal48.phis.winPDF@52/95@0/12

Source: shelbycountytn.gov.pdf

Initial sample: https://PJD.ctorombet.com/enRUG/

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-08 18-01-34-027.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\shelbycountytn.gov.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1680,i,4515409880386373091,12119218796225078129,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://PJD.ctorombet.com/enRUG/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,6538390649141663925,14644674923314258461,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1680,i,4515409880386373091,12119218796225078129,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,6538390649141663925,14644674923314258461,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.9.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.9.dr

Source: shelbycountytn.gov.pdf	Initial sample: PDF keyword /JS count = 0
Source: shelbycountytn.gov.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: shelbycountytn.gov.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

PE file contains sections with non-standard names

Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.9.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.9.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.9.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.9.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.9.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.9.dr	Static PE information: section name: malloc_h

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: PDF document	LLM: Page contains button: 'VIEW WITH ADOBE' Source: 'PDF document'
Source: PDF document	LLM: PDF document contains prominent button: 'view with adobe'

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.94.41	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.194.137	unknown	United States	54113	FASTLYUS	false
35.190.80.1	unknown	United States	15169	GOOGLEUS	false
142.250.74.196	unknown	United States	15169	GOOGLEUS	false
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
96.16.24.189	unknown	United States	16625	AKAMAI-ASUS	false
104.18.95.41	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.2.137	unknown	United States	54113	FASTLYUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	2E6EA6BAE7D14491B076CE3A383BBF6A	8A0A88C5C6AADCF600DB778CC79E3DD894E93262	A43A1FA188FC7ECD35220EA2787AC6938E3A5FE4B72617E6EFEDBAE2DE0521B5
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	2E6EA6BAE7D14491B076CE3A383BBF6A	8A0A88C5C6AADCF600DB778CC79E3DD894E93262	A43A1FA188FC7ECD35220EA2787AC6938E3A5FE4B72617E6EFEDBAE2DE0521B5
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	4A83E4CCD0C68D335A1962333EB8EF98	859EDDB7D15ACB4E4D22C6A6B65B2A6DA2BCA269	FF676D5903E59FE2545ACECF13BD4FF746B13382C00671948327C2840B8BB61D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	4A83E4CCD0C68D335A1962333EB8EF98	859EDDB7D15ACB4E4D22C6A6B65B2A6DA2BCA269	FF676D5903E59FE2545ACECF13BD4FF746B13382C00671948327C2840B8BB61D
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8a8aec88-2469-4281-822f-508b5da3a534.tmp	JSON data	F4D5716DF64A1DE4DF891C6BFFF9EC5D	E1E25935A461F598F38AF3DAE750149474D94F9C	23D0952C07FB053EF19A7B2327B7C971259F96B2DA76BF00375D8F5F316E8206
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	F4D5716DF64A1DE4DF891C6BFFF9EC5D	E1E25935A461F598F38AF3DAE750149474D94F9C	23D0952C07FB053EF19A7B2327B7C971259F96B2DA76BF00375D8F5F316E8206
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	695865DB76283F5BE83CC14DCCDFD3FE	33AE6795F718BB358E2FF68EB7C9E510AC0D6276	7E4E9CF2D2BB06DA90ECD76B61EE05FCF6CC48C7EE7FFC57662B1ACD0FFE91FB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	8F164DE18E4AB605CF3EED7D3636CF86	0D2950DFA160977001809290114BF86433C6B5CC	8153C5BBB741CCEA160653F4B72DE8831B9EA8A20E2F20F6F71B37F508326606
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	8F164DE18E4AB605CF3EED7D3636CF86	0D2950DFA160977001809290114BF86433C6B5CC	8153C5BBB741CCEA160653F4B72DE8831B9EA8A20E2F20F6F71B37F508326606
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241008220135Z-156.bmp	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54	FF2D488E6DAAD7074954000176B16D18	5EA770DF7F807FBD4A4DF76694BA01BE89170B21	EF5BC27C8E58FA9A6B00506982FAD03CE1067678206C5A28C13780390EC9EC5B
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15	F40782C4AA50CB0F2D00A46D8232BEE4	E108A3AF9D772ED7A83AEA2430B7B23BA474FA01	6A1425A5C892195A5AC526737763674AF4BBA864E7092C37CF028BC11331FCA5
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	0095C106DE12B0878013F4120497BD2E	1951763AC6B1E8803335B03F521D6A9136F64766	2674A1BB49013D902ACF4502910D72D858D36B59CBCF42F70964186C2BCFAA76
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	905B457ABF2975C6F49D81DFED3BF357	7FC80B01BBF46A9AD8EE6EC8138A62807B4122EB	4AD6B79D436931D01849F200C975E01D9A4EA2D71A04395EC2EA0C959006BC02
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	100DF6D63FEFE304C9072024EE94E114	7F7D4EABA081929891F81DA76BE2C12F08E1C522	2A2098540D5C6B44F670EDC1DA354BDC79168F2A83F090DB3F113AC6856D0A08
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	299A3E42A94C78A83F6BD370403373A9	01B9192118466F6EB0B7CFDCFA9ACF3F7C566594	621371DB656783D5F166EE0D8021CBB123843433388BE4E149CA9F71E4053FBC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	9201724F02D406E66F08F67BADB4C284	D29974146FD332AD6300B821FBF3125D491C1D35	4FCDDF7C06DC793DE1C4AE3B6D4CEEA637E50E89B9FA42A4BE4D23F9F173F6A1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	E40FE3BD73F6D62C6F32597CB6512242	6913FB014F303843B24301E3386CF2B92FA2FD91	EA31A70B121F80BF6A9074BA6B41DE5BB951094FFB4EEBAA26D9C544CFEABC7B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	2EB98C47708CF04269BCD28EC4B2336B	A419A1B6701BFDDE875ED35C657668D388A4E9D9	7467DDA02F182985EF7DEFAF2718FCF1C19A727C7B38C51A83BC74F0CC472204
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	D3C05F531D2203DD0936A90B1A6ED330	69F171DBC52B0E37E555849F5D13A08B9A897B58	57C2E02ABD57B5B01262677992D0817DE123A7B70BDDA2A49EDDEB01AE1C0E2B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	00607A44799C09B677C2ACF1061A04AD	98E83CBF0F9BE2762DB8D026A27543E507B7CCCC	87F302DD440D7CDEF5D97F3349E101BFE8B49D878825BC303E67304770EF1DA5
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	43A5B6248E3D026788946F8AE493516A	A46377766940CC3CC675B5771605D1538AB71916	97E8A536CF83868845BC82BDD1EB781CB66BAA5E40A76F9801E13EDF440500FC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	B8DA997A068234730935081DD7D598F5	511A14182E44F5FFB1327A103B65A072BB1605A3	2CFCBC859C0251BE7730E8721F5907AF0B265DDD043D6FD4305A8A184275B576
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	D682ED61D3A982B81E2BA9DBB147436C	ED9563A64BB911A79D059FB0CFFF43CC06604793	BE9FC030294045E6F1C0DA10B425957D670511895203223BB45915E88DB72CA6
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	A3CF72A791FC1BE1AB4AAD75DF4A25D2	AFE5F510DC233A64B2895746A291576C347097E9	B92C9A343E0074CA5A9C49BE3058ACDE269442739C1480FECF3CC5986E66CDA4
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	2B26336C22288271B1C03CCFD48108DB	0EDFEA43A54A69AE254FFFF514071CAEC589A95A	7B1B5ED59C78A9F646099D32434ADEDE1FE7E0B60292883C827229060F17E9BA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	0B07EA7464DB3756B2AFD93375C254B0	8D49E1B05D2860ABC4FCF3D3717CEB6CEAB21F68	FD41F599E0C38BA81F147BF491B47315223E566AE6A1A7B40973A711A7068694
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	8786D307AA78BE87253A70402841F752	4A89CC102EEFF6F0E0756A7E9FE4659CCB8301E6	4EDC34E1B2EB71943EFE31E73B81E288DA50A007185C52A9202F2AD695BFA91B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	A9D44C13CA930C044E6DFBABA1C3CF67	326BFDB6BCE44CBC4BD5D28EF20AF6A471BDB793	B5C7AD5642CFA74C41311281F9F9680F470D726679C94CEAFD492D779E01F6A6
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	72781CA3955CEBDD23A795646D6F866C	23AD6B324D0DF0F26964F2073BB47EA882A5FEBD	4428CA9FCCE680AC988F355E8070E2D38D12A923DA201781776A610F53DCD586
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	BD9CBA51E755E7BE2838857969344889	BE3883CBB0739B44BAF71D3B760760AE457C0EFF	EBE2164520111D266953FCEB08B519832F1E6CE0775D28C407F5BEA9A0462540
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	633C1D2C4598DAB52D0EAB4370FC8A8F	EB81E01E22D27EFF5A656F588B9CD805B3C7C3A6	C1104BC64D16F405FA3C5B94029B2AB447BB67FB53F53037BD43F146BC2AC779
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25	8A4991C40BD46D6FFF4E03A7FBA646D2	03DCE7B8365B9E53CC6610B81F726C02268D4373	32E9570C1AAF2A8FEA426001B768C21AB39E3E42767BEBC54AA57CF7FBBC0512
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	D53452343A33B7921C007C159A525306	315DFCC63CF45AAB66AD5C1BB7A73AFDEE108E29	2F0BAF0A6ABBF35CA87CE2E5B43DA0D0AFAED2F7EFC18C1FC3D586B1C94509A2
C:\Users\user\AppData\Local\Temp\MSI6d510.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3B414BAA19A561D67A5A9B011ED0A79A	6964A0472A82E7A931BB38B9A3B96138E024150C	C335C6865248F856D5F03426DE526B32E2225B32C07B6F1594F78A81DE4DBE0E
C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9ej2bp4_xe1bdp_1n0.tmp	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)	BA1716D4FB435DA6C47CE77E3667E6A8	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-08 18-01-34-027.log	ASCII text, with very long lines (393)	8947C10F5AB6CFFFAE64BCA79B5A0BE3	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	8F669C0895438D1F062960A99EC5FAB2	DF18F6C74B9F1B5B5654FBDAAF58DB4D78E2DF3C	EBB23AB01AED150ED0123CE50FEEF7E05CB6EBB5862B1C5D9D3A0025925B0658
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	D236F049FF5C185AAB211348B14E035E	452819C1E55A28AEBC9737BF8FAFB9BE3F9112FE	C1D8FBD2FF43465E5B41A1EFC8895974B188E5CB56E7C96EDBEFF5B508E25867
C:\Users\user\AppData\Local\Temp\acrocef_low\74d0214c-c66f-4f5d-94fb-3d8a5d076e76.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\854e3f8a-44a1-49fe-9d48-186412f70e2d.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	A0CFC77914D9BFBDD8BC1B1154A7B364	54962BFDF3797C95DC2A4C8B29E873743811AD30	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
C:\Users\user\AppData\Local\Temp\acrocef_low\c12c47f2-02d8-43d6-91fa-9f2f9813fb2b.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	3A49135134665364308390AC398006F1	28EF4CE5690BF8A9E048AF7D30688120DAC6F126	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
C:\Users\user\AppData\Local\Temp\acrocef_low\d2dc0018-5534-4370-a3ca-ceb3d90e65e7.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837	96E2EE6506759519A5E3E5E550F28388	477522A699526F3EC2270AD0B3D3B8D6609F8BBB	D135FEF8231B87D1F758B3D31FC5467BC933321F7E8EACB316F933DBA36474D5
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl	data	7113425405A05E110DC458BBF93F608A	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl	data	5274D23C3AB7C3D5A4F3F86D4249A545	8A3778F5083169B281B610F2036E79AEA3020192	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	477C17B6448695110B4D227664AA3C48	949FF1136E0971A0176F6ADEA8ADCC0DD6030F22	CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\_metadata\verified_contents.json	JSON data	3E839BA4DA1FFCE29A543C5756A19BDF	D8D84AC06C3BA27CCEF221C6F188042B741D2B91	43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.fingerprint	ASCII text, with no line terminators	D30A5BBC00F7334EEDE0795D147B2E80	78F3A6995856854CAD0C524884F74E182F9C3C57	A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.json	JSON data	BBC03E9C7C5944E62EFC9C660B7BD2B6	83F161E3F49B64553709994B048D9F597CDE3DC6	6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\LICENSE	ASCII text	EE002CB9E51BB8DFA89640A406A1090A	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\_metadata\verified_contents.json	JSON data	68E6B5733E04AB7BF19699A84D8ABBC2	1C11F06CA1AD3ED8116D356AB9164FD1D52B5CF0	F095F969D6711F53F97747371C83D5D634EAEF21C54CB1A6A1CC5B816D633709
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.fingerprint	ASCII text, with no line terminators	CFB54589424206D0AE6437B5673F498D	D1EF6314F0F68EFDD0BA8F6CA9E59BFF863B1609	285AC183C35350B4B77332172413902F83726CA8F53D63859B5DA082FD425A1C
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.json	JSON data	C3419069A1C30140B77045ABA38F12CF	11920F0C1E55CADC7D2893D1EEBB268B3459762A	DB9A702209807BA039871E542E8356219F342A8D9C9CA34BCD9A86727F4A3A0F
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\sets.json	JSON data	EEA4913A6625BEB838B3E4E79999B627	1B4966850F1B117041407413B70BFA925FD83703	20EF4DE871ECE3C5F14867C4AE8465999C7A2CC1633525E752320E61F78A373C
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\LICENSE	ASCII text	F6719687BED7403612EAED0B191EB4A9	DD03919750E45507743BD089A659E8EFCEFA7AF1	AFB514E4269594234B32C873BA2CD3CC8892E836861137B531A40A1232820C59
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_metadata\verified_contents.json	JSON data	98B310FC33843D771DA0089FA155EDB2	5690A43F43673B947EB4C433CB4F5488A287E29C	28F09A4AF935D2894689CC00658D597257422CAFF20A01055EFD8E78AD5E829F
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9D76604A452D6FDAD3CDAD64DBDD68A1	DC7E98AD3CF8D7BE84F6B3074158B7196356675B	EB98FA2CFE142976B33FC3E15CF38A391F079E01CF61A82577B15107A98DEA02
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll.sig	data	A19EC48B4B28F3AA9C32150DCA8C0E39	02981E40B643C2A987D47BF58F42B7F3CA5AAF07	D363751B0EE48517DA1B56C17FFCD78DD57F25B092B09879667DB10338077621
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.fingerprint	ASCII text, with no line terminators	5BFBCC6E7AA3E9C1570C5C73F38FA8EA	497BAFA5658C6CE8C8010D12F104EEBEC7A1BAE2	84470096167EA43C0880B39FE44B42F552014E4F85B66805C2935C542BA3CB8E
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.json	JSON data	2FF237ADBC218A4934A8B361BCD3428E	EFAD279269D9372DCF9C65B8527792E2E9E6CA7D	25A702DD5389CC7B077C6B4E06C1FAD9BDEA74A9C37453388986D093C277D827
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\Filtering Rules	data	B23DD5B6ECCB460003EA37BA0F5E3730	FD444553CB7699F84CE7E5664232771673DCF67D	7F7F432C27D97DEE184DCD3EA20F731674C008BE849C0136F9C5358E359F3EA9
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt	ASCII text, with CRLF line terminators	D33AAA5246E1CE0A94FA15BA0C407AE2	11D197ACB61361657D638154A9416DC3249EC9FB	1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\_metadata\verified_contents.json	JSON data	2FF08C4B4128F634CBBFEA0C1C44AA2E	45D11E57DDF29E843AC8545C7D06CDDB5DF3E962	33B6F2ECD5FB7F9FAF538F29808716EFA337A653809943A8E4B5E450B734DA09
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.fingerprint	ASCII text, with no line terminators	6DBEDE254AF8A23D6CB2ABAEA8D2E38F	A827D46FA5D53CB7B134F143CC15A30BA015ED21	376ED55CD5AB45C0F7BAA1AF0AC2637C33DEA6D1D4683B729AE7CE764F70DAA1
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.json	JSON data	3448D97DA638C7EF0FBCA9B6949FFC8F	36D8434F26F0316FAB4627F7856FCA7291FE8ADF	1700A11FD1E58367B450A41B2AE5FD26ECB5CDB459869C796C7DDE18F1D30F73
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\_metadata\verified_contents.json	JSON data	DB6B5E9AD82567AC91E385C844EE48E8	A036AB1A8414849A86251A2FF9BF6710A9C9F4E7	52C7DEEAF3D58CD2DFCD83742FB8A98EA190A3D00D472A7CD7EEA5906DADC42C
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\download_file_types.pb	data	D28B6246CBA1D78930D98B7B943D4FC0	4936EBC7DBE0C2875046CAC3A4DCAA35A7434740	239557F40C6F3A18673D220534B1A34289021142DC9BA0D438A3A678333A0EC6
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.fingerprint	ASCII text, with no line terminators	0A07A8A7914A071E6811D81670554730	81F0F6EC7A80017DEBC7DA02EE490F054D3E5D3F	B60DE962335450BF4502F51F99568F5F7BF4F640F964E0B5ACCBE33C7099A919
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.json	JSON data	C08A4E8FE2334119D49CA6967C23850F	13C566B819D8E087246C80919E938EF2828B5DC4	5B01512276C45ECC43D4BFA9A912BDAF7AFC26150881F2A0119972BFFDBD8AB0
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\_metadata\verified_contents.json	JSON data	6D1D175F88B64546105E3E7C31D1129A	75A1B56F55BB62B05365A0FDBFC7941DE77CBFAF	A0BC246E8E160A9BB32FA60F4E7A04D148A17125F426509466031E07731FDF81
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.fingerprint	ASCII text, with no line terminators	684DA5CCA8ADC8CA59CBE5B082CFE0B5	B8784E02DB81C5F846A7848455A2C6629A88BD64	F48C9D93CC216AF13BBFAD15DD5E6D1679CD35D318E664029DDF61EFC6E51A5D
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.json	JSON data	4AAA0ED8099ECC1DA778A9BC39393808	0E4A733A5AF337F101CFA6BEA5EBC153380F7B05	20B91160E2611D3159AD82857323FEBC906457756678AB73F305C3A1E399D18D
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\ssl_error_assistant.pb	data	E2F792C9E2DD86F39E8286B2EAD2FC70	8A32867614D2A23E473ED642056DED8E566687F9	AC354A4723AAA4F06BEC385DDDE4A4D0983AD51456F52B31A8068EC97D5B5EA7
Chrome Cache Entry: 310	ASCII text, with very long lines (48316), with no line terminators	2CA03AD87885AB983541092B87ADB299	1A17F60BF776A8C468A185C1E8E985C41A50DC27	8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
Chrome Cache Entry: 311	ASCII text, with very long lines (48316), with no line terminators	2CA03AD87885AB983541092B87ADB299	1A17F60BF776A8C468A185C1E8E985C41A50DC27	8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
Chrome Cache Entry: 312	ASCII text, with very long lines (65447)	8FB8FEE4FCC3CC86FF6C724154C49C42	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
Chrome Cache Entry: 313	HTML document, ASCII text, with very long lines (6465), with CRLF line terminators	A0844A9BD2DC137808057CC4C950D797	37FB247ACD40C2577DE3B97EDA156C5A59BDF163	1E0C56A44BCF138160DB7843C9785122B0A4419647A92A46BD00B90DA5067E3C
Chrome Cache Entry: 314	ASCII text, with very long lines (47459)	5D332FD1AE9FEB79A10425DFC3F84FE4	C7D7F9D2BF5EE08E242765803CDD3A223FE1CBFC	2EA786910282DF7AE154A0011375CD1254ADBD8EF0E75EB62177ADA67DAF9611
Chrome Cache Entry: 315	PNG image data, 33 x 80, 8-bit/color RGB, non-interlaced	3F9FD1EFA53BE521000F9C993B069241	198191931625F67BA035E0934D2610C45265EC98	4B1DB54798EEA66C0E731A10A9E61B86CB6D67E216B696173D25C5B3DAF938F2
Chrome Cache Entry: 316	PNG image data, 67 x 66, 8-bit/color RGB, non-interlaced	61D0DB4E3AF0780E31A97BCB13FEAB2C	4D8680C31D24A2E095174C6EC9744904793368EA	AA96693F98CC633727B8C359E4D0439CFCF0ADDF9FBF84488669BAE0A1989DC0
Chrome Cache Entry: 317	PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced	9246CCA8FC3C00F50035F28E9F6B7F7D	3AA538440F70873B574F40CD793060F53EC17A5D	C07D7D29E3C20FA6CA4C5D20663688D52BAD13E129AD82CE06B80EB187D9DC84
Chrome Cache Entry: 318	PNG image data, 67 x 66, 8-bit/color RGB, non-interlaced	61D0DB4E3AF0780E31A97BCB13FEAB2C	4D8680C31D24A2E095174C6EC9744904793368EA	AA96693F98CC633727B8C359E4D0439CFCF0ADDF9FBF84488669BAE0A1989DC0
Chrome Cache Entry: 319	PNG image data, 33 x 80, 8-bit/color RGB, non-interlaced	3F9FD1EFA53BE521000F9C993B069241	198191931625F67BA035E0934D2610C45265EC98	4B1DB54798EEA66C0E731A10A9E61B86CB6D67E216B696173D25C5B3DAF938F2
Chrome Cache Entry: 320	ASCII text, with very long lines (65447)	8FB8FEE4FCC3CC86FF6C724154C49C42	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
Chrome Cache Entry: 321	PNG image data, 2 x 2, 8-bit/color RGB, non-interlaced	9246CCA8FC3C00F50035F28E9F6B7F7D	3AA538440F70873B574F40CD793060F53EC17A5D	C07D7D29E3C20FA6CA4C5D20663688D52BAD13E129AD82CE06B80EB187D9DC84
Chrome Cache Entry: 322	ASCII text, with very long lines (47459)	5D332FD1AE9FEB79A10425DFC3F84FE4	C7D7F9D2BF5EE08E242765803CDD3A223FE1CBFC	2EA786910282DF7AE154A0011375CD1254ADBD8EF0E75EB62177ADA67DAF9611

Phishing

Phishing site detected (based on shot match)

Source: https://pjd.ctorombet.com/enRUG/	Matcher: Template: captcha matched
Source: https://pjd.ctorombet.com/enRUG/	Matcher: Template: captcha matched

HTML page contains hidden javascript code

Source: https://pjd.ctorombet.com/enRUG/

HTTP Parser: No favicon

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt

Jump to behavior

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.9.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.9.dr

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.18.94.41 104.18.94.41
Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 151.101.194.137 151.101.194.137
Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14

Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.9.dr, widevinecdm.dll.9.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.1.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: sets.json.9.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.9.dr	String found in binary or memory: https://24.hu
Source: shelbycountytn.gov.pdf	String found in binary or memory: https://PJD.ctorombet.com/enRUG/)
Source: sets.json.9.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.9.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.9.dr	String found in binary or memory: https://alice.tw
Source: sets.json.9.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.9.dr	String found in binary or memory: https://autobild.de
Source: sets.json.9.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.9.dr	String found in binary or memory: https://bild.de
Source: sets.json.9.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.9.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.9.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.9.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.9.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.9.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.9.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.9.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.9.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.9.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.9.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.9.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.9.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.9.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.9.dr	String found in binary or memory: https://chennien.com
Source: sets.json.9.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.9.dr	String found in binary or memory: https://clarosports.com
Source: manifest.json2.9.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: sets.json.9.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.9.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.9.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.9.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.9.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.9.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.9.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.9.dr	String found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.9.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.9.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.9.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.9.dr	String found in binary or memory: https://css-load.com
Source: sets.json.9.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.9.dr	String found in binary or memory: https://deere.com
Source: sets.json.9.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.9.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.9.dr	String found in binary or memory: https://drimer.io
Source: sets.json.9.dr	String found in binary or memory: https://drimer.travel
Source: LICENSE.txt.9.dr	String found in binary or memory: https://easylist.to/)
Source: sets.json.9.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.9.dr	String found in binary or memory: https://een.be
Source: sets.json.9.dr	String found in binary or memory: https://efront.com
Source: sets.json.9.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.9.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.9.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.9.dr	String found in binary or memory: https://ella.sv
Source: sets.json.9.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.9.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.9.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.9.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.9.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.9.dr	String found in binary or memory: https://finn.no
Source: sets.json.9.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.9.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.9.dr	String found in binary or memory: https://gettalkdesk.com
Source: LICENSE.txt.9.dr	String found in binary or memory: https://github.com/easylist)
Source: sets.json.9.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.9.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.9.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://grid.id
Source: sets.json.9.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.9.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.9.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.9.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.9.dr	String found in binary or memory: https://hapara.com
Source: sets.json.9.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1.global
Source: sets.json.9.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.9.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.9.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.9.dr	String found in binary or memory: https://hearty.app
Source: sets.json.9.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.9.dr	String found in binary or memory: https://hearty.me
Source: sets.json.9.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.9.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.9.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.9.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.9.dr	String found in binary or memory: https://hj.rs
Source: sets.json.9.dr	String found in binary or memory: https://hjck.com
Source: sets.json.9.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.9.dr	String found in binary or memory: https://html-load.com
Source: sets.json.9.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.9.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.9.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.9.dr	String found in binary or memory: https://img-load.com
Source: sets.json.9.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.9.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.9.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.9.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.9.dr	String found in binary or memory: https://interia.pl
Source: sets.json.9.dr	String found in binary or memory: https://intoday.in
Source: sets.json.9.dr	String found in binary or memory: https://iolam.it
Source: sets.json.9.dr	String found in binary or memory: https://ishares.com
Source: sets.json.9.dr	String found in binary or memory: https://jagran.com
Source: sets.json.9.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.9.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.9.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.9.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.9.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.9.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.9.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.9.dr	String found in binary or memory: https://kompas.com
Source: sets.json.9.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.9.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.9.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.9.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.9.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.9.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.9.dr	String found in binary or memory: https://libero.it
Source: sets.json.9.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.9.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.9.dr	String found in binary or memory: https://livechat.com
Source: sets.json.9.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.9.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.9.dr	String found in binary or memory: https://livemint.com
Source: sets.json.9.dr	String found in binary or memory: https://max.auto
Source: sets.json.9.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.9.dr	String found in binary or memory: https://meo.pt
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.9.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.9.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.9.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.9.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.9.dr	String found in binary or memory: https://money.pl
Source: sets.json.9.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.9.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.9.dr	String found in binary or memory: https://nacion.com
Source: sets.json.9.dr	String found in binary or memory: https://naukri.com
Source: sets.json.9.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.9.dr	String found in binary or memory: https://nien.co
Source: sets.json.9.dr	String found in binary or memory: https://nien.com
Source: sets.json.9.dr	String found in binary or memory: https://nien.org
Source: sets.json.9.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.9.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.9.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.9.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.9.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.9.dr	String found in binary or memory: https://o2.pl
Source: sets.json.9.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.9.dr	String found in binary or memory: https://onet.pl
Source: sets.json.9.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.9.dr	String found in binary or memory: https://p106.net
Source: sets.json.9.dr	String found in binary or memory: https://p24.hu
Source: sets.json.9.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.9.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.9.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.9.dr	String found in binary or memory: https://player.pl
Source: sets.json.9.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.9.dr	String found in binary or memory: https://poalim.site
Source: sets.json.9.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.9.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.9.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.9.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.9.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.9.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.9.dr	String found in binary or memory: https://radio1.be
Source: sets.json.9.dr	String found in binary or memory: https://radio2.be
Source: sets.json.9.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.9.dr	String found in binary or memory: https://repid.org
Source: sets.json.9.dr	String found in binary or memory: https://reshim.org
Source: sets.json.9.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.9.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.9.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.9.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.9.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.9.dr	String found in binary or memory: https://samayam.com
Source: sets.json.9.dr	String found in binary or memory: https://sapo.io
Source: sets.json.9.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.9.dr	String found in binary or memory: https://shock.co
Source: sets.json.9.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.9.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.9.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.9.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.9.dr	String found in binary or memory: https://songshare.com
Source: sets.json.9.dr	String found in binary or memory: https://songstats.com
Source: sets.json.9.dr	String found in binary or memory: https://sporza.be
Source: sets.json.9.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.9.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.9.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.9.dr	String found in binary or memory: https://stripe.com
Source: sets.json.9.dr	String found in binary or memory: https://stripe.network
Source: sets.json.9.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.9.dr	String found in binary or memory: https://supereva.it
Source: sets.json.9.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.9.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.9.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.9.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.9.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.9.dr	String found in binary or memory: https://text.com
Source: sets.json.9.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.9.dr	String found in binary or memory: https://the42.ie
Source: sets.json.9.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.9.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.9.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.9.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.9.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.9.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.9.dr	String found in binary or memory: https://top.pl
Source: sets.json.9.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.9.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.9.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.9.dr	String found in binary or memory: https://tvid.in
Source: sets.json.9.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.9.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.9.dr	String found in binary or memory: https://unotv.com
Source: sets.json.9.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.9.dr	String found in binary or memory: https://vrt.be
Source: sets.json.9.dr	String found in binary or memory: https://vwo.com
Source: sets.json.9.dr	String found in binary or memory: https://welt.de
Source: sets.json.9.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.9.dr	String found in binary or memory: https://wildix.com
Source: sets.json.9.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.9.dr	String found in binary or memory: https://wingify.com
Source: sets.json.9.dr	String found in binary or memory: https://wordle.at
Source: sets.json.9.dr	String found in binary or memory: https://wp.pl
Source: sets.json.9.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.9.dr	String found in binary or memory: https://www.asadcdn.com
Source: sets.json.9.dr	String found in binary or memory: https://ya.ru
Source: sets.json.9.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.9.dr	String found in binary or memory: https://zalo.me
Source: sets.json.9.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.9.dr	String found in binary or memory: https://zingmp3.vn

Creates files inside the system directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1633150228\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\ssl_error_assistant.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_221767600\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\download_file_types.pb	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_2060455088\manifest.fingerprint	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_4828_938150558

Jump to behavior

PE file contains more sections than normal

Source: Google.Widevine.CDM.dll.9.dr	Static PE information: Number of sections : 12 > 10
Source: widevinecdm.dll.9.dr	Static PE information: Number of sections : 13 > 10

Source: classification engine

Classification label: mal48.phis.winPDF@52/95@0/12

Source: shelbycountytn.gov.pdf

Initial sample: https://PJD.ctorombet.com/enRUG/

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-08 18-01-34-027.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\shelbycountytn.gov.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1680,i,4515409880386373091,12119218796225078129,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://PJD.ctorombet.com/enRUG/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,6538390649141663925,14644674923314258461,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1680,i,4515409880386373091,12119218796225078129,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,6538390649141663925,14644674923314258461,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.9.dr
Source:	Binary string: C:\b\s\w\ir\x\w\rc\cdm\protected\out\Release\widevinecdm.dll.pdb source: widevinecdm.dll.9.dr

Source: shelbycountytn.gov.pdf	Initial sample: PDF keyword /JS count = 0
Source: shelbycountytn.gov.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: shelbycountytn.gov.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

PE file contains sections with non-standard names

Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.9.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.9.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.9.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.9.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.9.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.9.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.9.dr	Static PE information: section name: malloc_h

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: PDF document	LLM: Page contains button: 'VIEW WITH ADOBE' Source: 'PDF document'
Source: PDF document	LLM: PDF document contains prominent button: 'view with adobe'

Drops PE files

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1732070053\_platform_specific\win_x64\widevinecdm.dll			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1294590347\Google.Widevine.CDM.dll			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping4828_1887124166\LICENSE.txt

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	1529401
Product:	CloudBasic
Start time:	00:00:36
Start date:	09.10.2024
Sample:	shelbycountytn.gov.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0779d291915cc0af4f23301d02710919
SHA1:	6f567018caaa0d520ce9963141f5d2ca68b3aab9
SHA256:	d290fd552d9ad015aca30c12934dde1475a7ec9f5cb2f17f84f3a2ae5e3a1339
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Windows Analysis Report
shelbycountytn.gov.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report shelbycountytn.gov.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
shelbycountytn.gov.pdf