Windows Analysis Report
Mystery_Check.pdf

Overview

General Information

Sample name:	Mystery_Check.pdf
Analysis ID:	1592167
MD5:	fd2747b9a183d512b9235d9f1253351d
SHA1:	5a4419259e8bd345d69fce0b3de5858daf0ad8a3
SHA256:	7ed35c2e41b80fd5f5413449376ed956ca87ff278309a7bf0e839f60453b21ca
Infos:

Detection

KnowBe4, PDFPhish

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found potential malicious PDF (bad image similarity)

Yara detected KnowBe4 simulated phishing

Yara detected PDFPhish

AI detected landing page (webpage, office document or email)

Machine Learning detection for sample

Suspicious PDF detected (based on various text indicators)

IP address seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

Classification

Signatures

AV Detection

Machine Learning detection for sample

Source: Mystery_Check.pdf

Joe Sandbox ML: detected

Phishing

Yara detected KnowBe4 simulated phishing

Source: Yara match

File source: 1.0.pages.csv, type: HTML

Yara detected PDFPhish

Source: Yara match

File source: Mystery_Check.pdf, type: SAMPLE

AI detected landing page (webpage, office document or email)

Source: PDF document	Joe Sandbox AI: Page contains button: 'Secure Open' Source: 'PDF document'
Source: PDF document	Joe Sandbox AI: PDF document contains prominent button: 'secure open'

Suspicious PDF detected (based on various text indicators)

Source: Adobe Acrobat PDF

OCR Text: Adob Adobe Document Cloud This document is encrypted using Adobe Secure CloudTM. Click below to securely view contents. Secure Open Please note: Some webmail clients are not compatible with Adobe obat Secure CloudTM. If that happens, download the file and open on Desktop.

Source: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==

HTTP Parser: No favicon

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 199.232.196.193 199.232.196.193
Source: Joe Sandbox View	IP Address: 104.18.90.62 104.18.90.62
Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351 HTTP/1.1Host: 2fa.com-token-auth.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /helpimg/landing_pages/css/dd.css HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-styles-1837e0b6e1baaf1af90438028a176241b70a365a8a09ff4bf668cf3bf9e3c759.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-3ab7c63a41a8761925d45817a71fb79e0ef7208b59de505ac640c8a2a183ec19.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /packs/js/vendor-69f70dd3792dc7287ac8.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/modernizr-654222debe8018b12f1993ceddff30dc163a7d5008d79869c399d6d167321f97.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /hubfs/241394/html_file/files/img/KB4-logo.png HTTP/1.1Host: cdn2.hubspot.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /QRF01zv.png HTTP/1.1Host: i.imgur.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /hubfs/241394/html_file/files/img/KB4-logo.png HTTP/1.1Host: cdn2.hubspot.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=kyBM5N5wKaeVZqAZkYjX_y4Y.cWvQuaB08Z2FVpU69Q-1736971973-1.0.1.1-vtJJJi0A9eEg6m3LTUU9tu8sGm2QESnQq7r0ycsbEK4zGYRisdXmu5cAwhq.ccYK12HPHeliKY2_4F0yG31gHA
Source: global traffic	HTTP traffic detected: GET /QRF01zv.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque.png HTTP/1.1Host: local21news.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-flag-90af55d793544fe1893f26677661a4252761afbe811fab0eced85c67bc82f984.png HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/assets/sei-styles-1837e0b6e1baaf1af90438028a176241b70a365a8a09ff4bf668cf3bf9e3c759.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque.png HTTP/1.1Host: local21news.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-flag-90af55d793544fe1893f26677661a4252761afbe811fab0eced85c67bc82f984.png HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: 2fa.com-token-auth.com
Source: global traffic	DNS traffic detected: DNS query: secured-login.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: cdn2.hubspot.net
Source: global traffic	DNS traffic detected: DNS query: i.imgur.com
Source: global traffic	DNS traffic detected: DNS query: local21news.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: ad004bda-21ff-481d-86a1-606e5c304622X-Runtime: 0.012616Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 327af3d4-98c4-4339-9dfd-957927c37619X-Runtime: 0.031259Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 02704279-caea-4b7b-a1f8-73abcc3fb0c2X-Runtime: 0.015009Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 513fc814-98d8-43a8-a871-8dc60fac7153X-Runtime: 0.011269Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 46638330-df2e-4e06-bef4-f7b1785d7f55X-Runtime: 0.016023Strict-Transport-Security: max-age=63113904; includeSubDomains; preload

Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_200.11.dr	String found in binary or memory: http://getbootstrap.com)
Source: chromecache_201.11.dr	String found in binary or memory: http://preview.training.knowbe4.com/XdCt3bFlxamE1ZFYrZVF6TlpxdVNCK3JlQURvb3d0VTBmVDVFemdrWjZiTGhBc09
Source: 2D85F72862B55C4EADD9E66E06947F3D0.1.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XK0IrQUd5MStubVlIaU9uSm9yT003MjZ4M0xKMWxZYllPNW9zOUNyUks2SktRTDY5M29z
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XTGNadUJqbTVmQ0tPcC9iT1l5WWp2bFkrdVdyUkhnamlaN1dPckEzL2Z3V1dNRzhWZ2Qw
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhL
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/Xa2xGbk9xNlJ6aXYwWC9hc3JsM2ExZFUrTUczVmpKM3JpOUxML3NjZUFtZThIMTRPMUlO
Source: chromecache_201.11.dr	String found in binary or memory: https://cdn2.hubspot.net/hubfs/241394/html_file/files/img/KB4-logo.png
Source: chromecache_201.11.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css
Source: chromecache_201.11.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Open
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4iaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4jaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4vaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5OaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5caVI
Source: chromecache_200.11.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_201.11.dr	String found in binary or memory: https://i.imgur.com/QRF01zv.png
Source: chromecache_201.11.dr	String found in binary or memory: https://local21news.com/resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque
Source: chromecache_201.11.dr	String found in binary or memory: https://s3.amazonaws.com/helpimg/landing_pages/css/dd.css
Source: chromecache_211.11.dr	String found in binary or memory: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

System Summary

Found potential malicious PDF (bad image similarity)

Source: Mystery_Check.pdf

Static PDF information: Image stream: 21

Source: classification engine

Classification label: mal76.phis.winPDF@39/94@25/14

Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XK0IrQUd5MStubVlIaU9uSm9yT003MjZ4M0xKMWxZYllPNW9zOUNyUks2SktRTDY5M29zVEhueE0yZjNZS1BoSkZJZWJHMjE2NDJsekhmSDNQWDN5dDA3NXlYcWhtWFpaSE1SNy9lbTUrZ3pjMUdReGVpMWVHaUhrV0dXczlJY0lyckpLVG1EUFBpaFJHMjVVd05jbGxhemxROXJmV0xQSUdVYVNNZzVMR0FKamxKM1l1d1N0dXcxR2FBPT0tLS9TMFJtajdXQUJKS2IwNWctLU5uZlBTZXgvWlVpQzY4dmJZNHJFV3c9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XTGNadUJqbTVmQ0tPcC9iT1l5WWp2bFkrdVdyUkhnamlaN1dPckEzL2Z3V1dNRzhWZ2QwTUFhQUtsVUZhRHYwaFpjUGV3VnBPZjVlWXNGc3FRdzlkUDA1aVJoZjk1cm52RFM5UmQzYS96blFDU0czT2xtRGRpUTVXU0J4ekErMVQ3eXgrU0RJR3NDYjVlTkZEb2dNK1RHZXU3TEpWM2pYTEpsUEJEdy9CTnE3MXlOQktQOGxySTlSQ3J3PT0tLUZRdlV1RFppREt1dyticC8tLWk4YzdTbHMxZVNLQyt6ejhudS9tNWc9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xk0irqud5mstubvliau9usm9yt003mjz4m0xkmwxzyllpnw9zounyuks2sktrtdy5m29zvehuee0yzjnzs1boskzjzwjhmje2ndjsekhmsdnqwdn5dda3nxlycwhtwfpase1sny9lbturz3pjmudregvpmwvhauhrv0dxczljy0lyckplvg1eufbpafjhmjvvd05jbgxhemxroxjmv0xqsudvyvnnzzvmr0fkamxkm1l1d1n0dxcxr2fbpt0tls9tmfjtajdxqujks2iwnwctlu5uzlbtzxgvwlvpqzy4dmjznhjfv3c9pq==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xtgnadujqbtvmq0tpcc9it1l5wwp2bfkrdvdyukhnamlan1dpckezl2z3v1dnrzhwz2qwtufhqutsvuzhrhywafpjugv3vnbpzjvlwxngc3frdzlkuda1avjozjk1cm52rfm5umqzys96blfdu0czt2xtrgrputvxu0j4ekermvq3exgru0rjr3ndyjvltkzeb2dnk1rhzxu3tepwm2pytepsuejedy9ctne3mxloqktqogxystlsq3j3pt0tluzrdlv1rfppret1dyticc8tlwk4yzdtbhmxzvnlqyt6ejhuds9tnwc9pq==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xuw5oq1azdmjvoer6bxrvsst5q0tbtvoztw1imwxrr1ryze1kwuh0s0rtzwptzw1bcxhlskl5zgvsctrnzxlrbjl3rtkwcfheovb4qvbzm1o3wk55dxnlvu15bhbldwswnenzskhkvtqzskiywg5lttzlz2jyu2xotkpouxvic3i5qldnwvlwcwvymgnra0prawnxtfdomstqly9ozhrgd2k1exzml3mwdffxtfrwb2qwl3e4dkl2avdrpt0tlupouvvhuvhkyloxuzlgbeitlupvwwvkruzjuhnfd1p0wxlcblvjcfe9pq==?cid=2358647351

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-15 15-11-23-776.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Mystery_Check.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2144 --field-trial-handle=1568,i,15199389771524615251,12025059695965693712,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=1908,i,13338171944133119390,15991037629013602393,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2144 --field-trial-handle=1568,i,15199389771524615251,12025059695965693712,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=1908,i,13338171944133119390,15991037629013602393,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Mystery_Check.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: Mystery_Check.pdf

Initial sample: PDF keyword obj count = 54

PDF has an OpenAction (likely to launch a dropper script)

Source: Mystery_Check.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
199.232.196.193	ipv4.imgur.map.fastly.net	United States	54113	FASTLYUS	false
104.18.90.62	cdn2.hubspot.net	United States	13335	CLOUDFLARENETUS	false
52.216.237.229	s3.amazonaws.com	United States	16509	AMAZON-02US	false
18.209.183.54	landing.training.knowbe4.com	United States	14618	AMAZON-AESUS	false
34.235.36.251	unknown	United States	14618	AMAZON-AESUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
199.232.192.193	unknown	United States	54113	FASTLYUS	false
104.18.91.62	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
34.193.6.123	secured-login.net	United States	14618	AMAZON-AESUS	false
108.138.7.72	local21news.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.16
192.168.2.4

Contacted Domains

Name	IP	Active
cdn2.hubspot.net	104.18.90.62	true
bg.microsoft.map.fastly.net	199.232.210.172	true
s3.amazonaws.com	52.216.237.229	true
local21news.com	108.138.7.72	true
cdnjs.cloudflare.com	104.17.24.14	true
www.google.com	142.250.181.228	true
secured-login.net	34.193.6.123	true
landing.training.knowbe4.com	18.209.183.54	true
ipv4.imgur.map.fastly.net	199.232.196.193	true
2fa.com-token-auth.com	unknown	unknown
x1.i.lencr.org	unknown	unknown
i.imgur.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://secured-login.net/assets/application-3ab7c63a41a8761925d45817a71fb79e0ef7208b59de505ac640c8a2a183ec19.js	false		high
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css	false		high
https://secured-login.net/packs/js/vendor-69f70dd3792dc7287ac8.js	false		high
https://secured-login.net/assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css	false		high
https://local21news.com/resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque.png	false	Avira URL Cloud: safe	unknown
https://secured-login.net/assets/sei-flag-90af55d793544fe1893f26677661a4252761afbe811fab0eced85c67bc82f984.png	false		high
https://secured-login.net/assets/sei-styles-1837e0b6e1baaf1af90438028a176241b70a365a8a09ff4bf668cf3bf9e3c759.css	false		high
https://secured-login.net/favicon.ico	false		high
https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351	false		high
https://secured-login.net/assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js	false		high
https://s3.amazonaws.com/helpimg/landing_pages/css/dd.css	false	Avira URL Cloud: safe	unknown
https://cdn2.hubspot.net/hubfs/241394/html_file/files/img/KB4-logo.png	false		high
https://i.imgur.com/QRF01zv.png	false		high
https://secured-login.net/assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css	false		high
https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==	false		high
https://secured-login.net/assets/modernizr-654222debe8018b12f1993ceddff30dc163a7d5008d79869c399d6d167321f97.js	false		high

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	26FA6EB7B8209A839907839834B4E119	7BAA949044FA21068A85F45F1A22881846763062	3A3D63AFDC0B12E6E54BCF5D35A436D4F1733F524BFC1408E79E7C5AFAD39CF9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	26FA6EB7B8209A839907839834B4E119	7BAA949044FA21068A85F45F1A22881846763062	3A3D63AFDC0B12E6E54BCF5D35A436D4F1733F524BFC1408E79E7C5AFAD39CF9
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG	ASCII text	D8C25DE617A55F0B2654EE5157ABFE16	29BB51CE5E4AE9C540AAD3A8D157EEB94CD17E4C	1B41645D24C89086D36C37A2136B8566B95E3A1F137B7A295E4187F920D74EA2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)	ASCII text	D8C25DE617A55F0B2654EE5157ABFE16	29BB51CE5E4AE9C540AAD3A8D157EEB94CD17E4C	1B41645D24C89086D36C37A2136B8566B95E3A1F137B7A295E4187F920D74EA2
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)	JSON data	A2DF7EC201D38E5C31865975F4C58203	F42C7902F795D18F07DF4035D8DD11E0C7268FA9	7FDD51BFC0B27AE7D943F9123E6014024AB058F12057D9D195041310E8DEA22E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\d085bbf6-e62e-45d6-9d9a-acb35152fbfc.tmp	JSON data	A2DF7EC201D38E5C31865975F4C58203	F42C7902F795D18F07DF4035D8DD11E0C7268FA9	7FDD51BFC0B27AE7D943F9123E6014024AB058F12057D9D195041310E8DEA22E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log	data	689BABBFC10582DE0173FA7967AD58AC	28CF37588112BD38AB390541D6BF3E5D508D933D	7ED6BB99CCC9E3685E314F743098564A0796EA0774828FDF52750DB4008E10FB
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG	ASCII text	662FF27E8F19EBF89BCF2DBEE603AC76	907708F8697694E60DF6090D6328C30BB9359D79	333FDB8FCE36699ECA93EE877CF2277BCD0DB9702B35FB0898FFB88B9B48BF71
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)	ASCII text	662FF27E8F19EBF89BCF2DBEE603AC76	907708F8697694E60DF6090D6328C30BB9359D79	333FDB8FCE36699ECA93EE877CF2277BCD0DB9702B35FB0898FFB88B9B48BF71
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250115201126Z-194.bmp	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54	8728457C021B84949313963AD3935AF0	2A168D21FDC43A97948D173C218C34F511A17BAD	E7FDF43ED0439F878CB6942B8F8DE670F7DA27C026E5D0F635EF1F9CE6F64DF2
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15	EB35F256A2E160D27BF92468F932A3D8	AC135E1FF04227D438FEA474755F8E4FA0801A3D	B0BF1F17E8EAF91959503A65A44909DD8710BA548DB775461A4A91258B27748E
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal	SQLite Rollback Journal	B35404E474353AE9D58BAE173A90A77C	10450A3613E4FA172393F57B49B0AFD5C652922C	4276C28F6ADC1CB83F8B63F8FFED9D02BA71A8DC72AFA6D76DE3DD6C8B8EE5DD
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	53704A74D7AA4CCFA8199875291CEDAA	31D5D4EC458DC459AF2E416987DE56A28B6489A7	65025ED14F90BE80FCFBF9A8F63592960F40DB20EEE324A5C002B5187AA5AF09
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	9A2B0BA4A86D157853C07EA5A4A74F7A	09FAEFC52B150EF2697B77DFE0278CD20A4A164B	06F637638193C2563E8C345619DA42C53A5F18CE4868E6DC180E1C68E8C01027
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID	JSON data	20B8B73CDC114CC4F845280D00157E86	2BF78471A2EB60546F758D81FBED910FDCB39C8C	24A3BAEBEBD90F2E75C58789AC422E146567048257D9B3E6321FE49378E12440
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface	JSON data	324030150CFC593E57B756D1D3E05194	3F1FE3E732CB7BCC4F1746923ABABBD10A104D53	E1D04717E880828F39D1859849E16EB00E68EE63BC1C8F0A23D625A8D9B103E1
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface	JSON data	F85D393DB7706F761E6F7390C2781EC2	D4C970E63CE70C1390A81C6455DA764C9D403098	894EDB69479B56C739755E8616E8B2CCC7863846BC3B629BA5C905D74C910C8F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD	JSON data	166772364FE556FA41445E18B88933A3	EDB4D7F92F6FD1AC59F70217D5E64C3C748E81E4	F52D45F7273A4C3E6755925A13180880A68DE55942062E626EF9D38CEF3B7898
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner	JSON data	44C41FC6D98E1DE70FF9388261953404	0A1A26F656C1D6EEA719B7928C6B171BDEB72A11	D1ED72A709AC33243122F9AD209D4103D5DFD6BDD76F5BE189B1988A52391DFE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner	JSON data	89F842454A4933CE607F2E022BCB8DCC	DE914BC30CC76138DBC769C243ACA09F8669DFA5	CBE832B125B3CBEA8091FC4A7150FC1C73DFC2CA2B1195C48892D3257C14E564
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention	JSON data	811674EF3F3880AC5E22195FB148432C	E29EC9F4B1E69D1A390E6FF8EA77A9FD38EDABDA	C0D2F1F079F74633C6EE537106907998D1C7EFF3229539B4279DF76843B41E47
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner	JSON data	3139A3530E0160DBD6E84690E7085B31	52AD79D487BDB94352E933881710AF88B5BCA910	6C333B92872BE0EAD88F894D31654A40674A7ADC4654DA89D791BD7412020B8C
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner	JSON data	D9716C86DF7B3C47B335348FC8C485E1	9F9F4A0015DA7F17E1D9DF9C0B37B1B9C049CB10	7FBFFA6BC4F57CA2048176DB5623319D4A818AEBE88441C303DD68143D3C02A6
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner	JSON data	CE94AF579825E696A7FF6C92BC78EB91	9EDC22BFA1F9AEE94CDBF7956E1C82DB922E6BD6	7332DF54CF4C42D43419320F5F9C8EB65C7DE3836922B68D5ED26F06B1BF03CC
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner	JSON data	F2215499302E6EBCE9540BDAAFDD6860	DF8255E4004379FF31CFBB156C611F3A6138D1F6	76B7E63451F7F0E59035937857FDC27CA70603795557B6CCF3463C701D709B8B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner	JSON data	D5CD22752683D07C1D3CED438AB81A31	D1FB8360F364DBE4A0C278ABDAA75CF9C89F1057	FB72DCC02ED1E4F70A8C5A94EBC47CBF1E4CA7D388B00559DC6A66A764631B8B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention	JSON data	4178B8C7A23D1E7B7E5BB66B1C350CBB	0E32341500827C01A471FFADF28954970B154C82	4FC3616DE1ADCDBDA38DF57A7814668253283B61038BD418779B88FC17FA60A3
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner	JSON data	5422F7E8A24BD2DAF5485FBF29052EFD	4B033AC33D2F5BB38E700675A90417D8D2D04B6B	8CCF70832CA6869B3B6B13592CCAF9E70F27E33B43548F918464D82CFA47C9F9
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards	JSON data	DE317AD191C8306C9C4DA694D074282C	B220F1099757C2BC311BAA58188CD7F40F240CEB	550DCD2ADC3683CB547C8D158F273DEF7593B73ACE746D419594C996B312CDAF
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020	JSON data	98CD01D4102D4212C91D046F4539D47B	5007DC6DF1CB90BE92C9595F380E48BFF97EC066	F7A68A2A64A74247DEE867C24ED30FA65A2625A613846C80FE31F7C2F1BA0B7B
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING	data	DC84B0D741E5BEAE8070013ADDCC8C28	802F4A6A20CBF157AAF6C4E07E4301578D5936A2	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json	JSON data	DA419945843F4A7291854D65A1883F74	0C84F9BF88F775C35EB835BF8974CF4F5CD5989A	1F6F8C25D67290A746F8EE91101C5909835D49B0BBC23EADB5BFF72723AB77B6
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25	12CC489C80E581FD3D1C46C8AACC39CC	9E81DB17B3E39C0AE1385F72148405F0BF87784F	633AE5CA5BBC5DDA01B9A76F182FCC521A83127261EDE8E79F0461B95EDEA8C4
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal	SQLite Rollback Journal	910D9C1634F77383CB9E19B96F07DA90	26C0C50288FE72BC2F139791856FCF7FA8DCB86A	D3F529E6FFD0E14A8D529A4B034754626E68CB9DBC1A45CAAAD2DFA5B5C7CA6F
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin	data	7190D40EF90B2B07CCD1EC99758D6774	42B9EB2C67202A6F98C10102D8634B93576E8DBF	0D3A2B1DC673D6230777A35D6C3AD978E7A8A2D9E75DAD841DD942B4D16A128D
C:\Users\user\AppData\Local\Temp\MSIcc1ba.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F82F4DDAF50BF6591741AFB38760105A	8F21FB7D938E6845A9494B9560EB7EBA52DE4E85	507FB8A4A7F2C34669D25FAD9417D4379A2A761930A7438E7548562DBC7F3B45
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-15 15-11-23-776.log	ASCII text, with very long lines (393)	8947C10F5AB6CFFFAE64BCA79B5A0BE3	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log	ASCII text, with very long lines (393), with CRLF line terminators	019DEDCA45E633CF63EFC9CBA3CC4E00	2D808BD5A81B26EBDC007ECF2D3E6BE046E28B86	34277E6AD5A59A93B02217732FC5E31526FC823091227F612F8D022D45F7838C
C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt	ASCII text, with CRLF line terminators	6D67D3804603FAC6532503BA98B1F43C	95A9A0C5EC34F64D801D7921CF8C86141AB71BE5	0C0AF5F32E8CEA1CC53765AC21BFC250C22E8D45C7C263482417D342273D5DD1
C:\Users\user\AppData\Local\Temp\acrocef_low\1987b7a1-66f8-43af-9903-c3cecc2c8897.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081	716C2C392DCD15C95BBD760EEBABFCD0	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
C:\Users\user\AppData\Local\Temp\acrocef_low\5b02d534-1fcf-47c7-86d4-5291330c8a0f.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142	18E3D04537AF72FDBEB3760B2D10C80E	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
C:\Users\user\AppData\Local\Temp\acrocef_low\5fd023b2-ec60-43d1-a0df-4e0e23ed7696.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022	5C48B0AD2FEF800949466AE872E1F1E2	337D617AE142815EDDACB48484628C1F16692A2F	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
C:\Users\user\AppData\Local\Temp\acrocef_low\60b45af5-49e0-494f-b617-00cd07c42186.tmp	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538	410BB1A54ECCE470696636D4C2000E33	53A6AC06832DAA17D7C006C0A9B8B30597701926	8B6D42D70862D6623F66B09F6819A35E1AF4ACC409461E140DA020F386877F92
Chrome Cache Entry: 190	RIFF (little-endian) data, Web/P image	402214A564EAB22101571DF8C6E30B79	D5E452981A5C325383F92BFB964BA28ECEA6FFA6	8D63A7ED00572C8B418FF91F5B2E5CD667AA7226CE280E48FC8FE9D58A4D98AC
Chrome Cache Entry: 191	PNG image data, 986 x 555, 8-bit/color RGBA, interlaced	1E3A0A0C00A1794674DB77FF48028481	08A181099C149ADB52209F5967812180E9F2D0D7	B5944358BF9C7279336DF1E680454A7ADD54F927B5BAAAA30D0E5580E3AC7660
Chrome Cache Entry: 192	Web Open Font Format (Version 2), TrueType, length 9344, version 1.0	CBCA61F27F93FD71171FE8D314C66AB9	C46A51672FFFF100945F84C3EB87826B7844A1E2	F9A9A7A4B9D40BCC3047928DFA60695D53E6AE1D6EE699EA70146E171322ACAD
Chrome Cache Entry: 193	PNG image data, 986 x 555, 8-bit/color RGBA, interlaced	1E3A0A0C00A1794674DB77FF48028481	08A181099C149ADB52209F5967812180E9F2D0D7	B5944358BF9C7279336DF1E680454A7ADD54F927B5BAAAA30D0E5580E3AC7660
Chrome Cache Entry: 194	ASCII text, with no line terminators	D8F4A1993546CC4B850CDE3599E27AEC	094B763B4CFCC0B05E5D040581CD513C3CA08067	907BA78B4545338D3539683E63ECB51CF51C10ADC9DABD86E92BD52339F298B9
Chrome Cache Entry: 195	ASCII text, with very long lines (65447)	67A0C4DBD69561F3226243034423F1ED	88C1B5C7EBBFA24D8196290206BF544F28EEB406	74B9F1CFE7CAD31AE1C1901200890B76676E6D92AC817641F5EF9BFD552F2110
Chrome Cache Entry: 196	ASCII text, with very long lines (1572)	F2D1D2937C3546E15C471236646AC74E	DD8D90F6D4AC8D72C718C10424788612689D89DB	719D2FC548145FA8D8361205F6FCB49EEFC54C71FBB18E6320A60A263F40637A
Chrome Cache Entry: 197	ASCII text, with no line terminators	D8F4A1993546CC4B850CDE3599E27AEC	094B763B4CFCC0B05E5D040581CD513C3CA08067	907BA78B4545338D3539683E63ECB51CF51C10ADC9DABD86E92BD52339F298B9
Chrome Cache Entry: 198	Web Open Font Format (Version 2), TrueType, length 17576, version 1.0	EFB3F28447C9EF35FD5882FB763B37C3	158DDD8C0348DEFA3192F26DA60A746727F4A8A3	6D4370B59E36AC955C8B97F12FD5E86F7D3E80285D6AF2BFF0DAFA8E122D3C3B
Chrome Cache Entry: 199	Web Open Font Format (Version 2), TrueType, length 7728, version 1.0	80210D1FF4DE56C6704607F3831E8F6C	32FB4E1E177D5DE97AAD6E0D57100755D8DD2CFD	F515A6F8BAE422286936B110653FB8EE0F58FE32D61390EE5DE77029BE23EFD6
Chrome Cache Entry: 200	ASCII text, with very long lines (65371)	EC3BB52A00E176A7181D454DFFAEA219	6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68	F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
Chrome Cache Entry: 201	HTML document, Unicode text, UTF-8 text, with very long lines (2164)	8DE934D73C382A09D942EA02AE61F2E1	E72C4EFE45915F224B5C9EE9B66967CA79F1455B	FFC3242E1DF75B2096A8351C30EF7FD4D24838B81DCEDF02120B94B772AD83DA
Chrome Cache Entry: 202	Web Open Font Format (Version 2), TrueType, length 8572, version 1.0	776FDC253D54124DD63F274BF5EA35F0	7761DAC9A7FBB2814989092003506BA594C6EE45	0B81CC8358F236821ADA286C94726C7FEBC9CAD8BD4F59FB39C515956B644E99
Chrome Cache Entry: 203	PNG image data, 240 x 240, 8-bit/color RGBA, non-interlaced	A907E6E737788176B026FA71DFE8AFFE	6844236F638CEDCD652EB0A805476A1A13376CF5	FC5E7621BA0E98C5C6728E3B2BDF802311C0A0953A05E60A7551CB0C7BED00A9
Chrome Cache Entry: 204	Web Open Font Format (Version 2), TrueType, length 15368, version 1.0	BE7B70AB1265B1047BD93422397C655E	E10BBC7D8529AE3E64D8B08C9F7CD55C98F83D60	B452C0F212E8BF33965905032F5BA1FAE29CD6F9539DCBC673704E66CE943B2B
Chrome Cache Entry: 205	ASCII text, with no line terminators	D8F4A1993546CC4B850CDE3599E27AEC	094B763B4CFCC0B05E5D040581CD513C3CA08067	907BA78B4545338D3539683E63ECB51CF51C10ADC9DABD86E92BD52339F298B9
Chrome Cache Entry: 206	PNG image data, 240 x 240, 8-bit/color RGBA, non-interlaced	A907E6E737788176B026FA71DFE8AFFE	6844236F638CEDCD652EB0A805476A1A13376CF5	FC5E7621BA0E98C5C6728E3B2BDF802311C0A0953A05E60A7551CB0C7BED00A9
Chrome Cache Entry: 207	ASCII text	134D934420B13974981A9634B7380865	18C01D3711CF8C21C1CD0CF544002358C1C929C6	B3C447F15FCE33DFA869B9D2190364509EDE3937AE05B51BA394A78E28C244BA
Chrome Cache Entry: 208	Web Open Font Format (Version 2), TrueType, length 18668, version 1.0	8655D20BBCC8CDBFAB17B6BE6CF55DF3	90EDBFA9A7DABB185487B4774076F82EB6412270	E7AF9D60D875EB1C1B1037BBBFDEC41FCB096D0EBCF98A48717AD8B07906CED6
Chrome Cache Entry: 209	PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced	29D583007FCD677AA31CA849478BC17A	F354E323218A450060852C344927C3E79D8E7B66	120EE096F38C1E21083054C15F0F8CFBB02B6740A01D98068E3BE9581E83D453
Chrome Cache Entry: 210	Web Open Font Format (Version 2), TrueType, length 11116, version 1.0	7E05F5267BBA1AA9FB260096F923BDB7	44E5FE17DC41EB94BB2FE85D77C0904AC766325D	21E75944D3F77408D1F5F2FAB67C89C7FC43F4A80A3B8E4DCF38185F9D9F46E6
Chrome Cache Entry: 211	HTML document, ASCII text, with very long lines (407)	BF68F6C27DF49D9D4D0BA51ED253507A	BEDD87BE689202C3B6ED2410131F3D095CBBC94C	DFD48F3B7467AC4D4EAE01E2221F0735E4D34D0009126C3E7E6D3DE03C98956A
Chrome Cache Entry: 212	ASCII text, with very long lines (65447)	67A0C4DBD69561F3226243034423F1ED	88C1B5C7EBBFA24D8196290206BF544F28EEB406	74B9F1CFE7CAD31AE1C1901200890B76676E6D92AC817641F5EF9BFD552F2110
Chrome Cache Entry: 213	ASCII text	15E89F9684B18EC43EE51F8D62A787C3	9CBAAACEAE96845ECD3497F41EE3B02588ABEC11	16F13E16A7EF02FB6F94250AA1931DED83DBEE5D9FAD278E33DD5792D085194F
Chrome Cache Entry: 214	PNG image data, 200 x 38, 8-bit/color RGBA, non-interlaced	E154B58FD2CD3F1F2E2C6C810BB1E65B	CAEF301E8550A910909ECE9471669DA0C32EA6F0	E8C5A2C9860C1A6CC7C949B9D7C793E5E435D75996DEBEB295A959F3D09831C0
Chrome Cache Entry: 215	Unicode text, UTF-8 text, with CRLF line terminators	DD05B711E15EF201B07E20CB5C87F5D8	41B818B243140D90DA4CA917D454335B603A6BDA	617F793D125F780AB7BB7C9E92AB427D9E757083E7368E241E8E8FA69F013E4F
Chrome Cache Entry: 216	PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced	29D583007FCD677AA31CA849478BC17A	F354E323218A450060852C344927C3E79D8E7B66	120EE096F38C1E21083054C15F0F8CFBB02B6740A01D98068E3BE9581E83D453

AV Detection

Machine Learning detection for sample

Source: Mystery_Check.pdf

Joe Sandbox ML: detected

Phishing

Yara detected KnowBe4 simulated phishing

Source: Yara match

File source: 1.0.pages.csv, type: HTML

Yara detected PDFPhish

Source: Yara match

File source: Mystery_Check.pdf, type: SAMPLE

AI detected landing page (webpage, office document or email)

Source: PDF document	Joe Sandbox AI: Page contains button: 'Secure Open' Source: 'PDF document'
Source: PDF document	Joe Sandbox AI: PDF document contains prominent button: 'secure open'

Suspicious PDF detected (based on various text indicators)

Source: Adobe Acrobat PDF

HTTP Parser: No favicon

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 199.232.196.193 199.232.196.193
Source: Joe Sandbox View	IP Address: 104.18.90.62 104.18.90.62
Source: Joe Sandbox View	IP Address: 104.17.24.14 104.17.24.14

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351 HTTP/1.1Host: 2fa.com-token-auth.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /helpimg/landing_pages/css/dd.css HTTP/1.1Host: s3.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-styles-1837e0b6e1baaf1af90438028a176241b70a365a8a09ff4bf668cf3bf9e3c759.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-3ab7c63a41a8761925d45817a71fb79e0ef7208b59de505ac640c8a2a183ec19.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /packs/js/vendor-69f70dd3792dc7287ac8.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/modernizr-654222debe8018b12f1993ceddff30dc163a7d5008d79869c399d6d167321f97.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /hubfs/241394/html_file/files/img/KB4-logo.png HTTP/1.1Host: cdn2.hubspot.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /QRF01zv.png HTTP/1.1Host: i.imgur.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/landing-watermark-16f13e16a7ef02fb6f94250aa1931ded83dbee5d9fad278e33dd5792d085194f.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /hubfs/241394/html_file/files/img/KB4-logo.png HTTP/1.1Host: cdn2.hubspot.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=kyBM5N5wKaeVZqAZkYjX_y4Y.cWvQuaB08Z2FVpU69Q-1736971973-1.0.1.1-vtJJJi0A9eEg6m3LTUU9tu8sGm2QESnQq7r0ycsbEK4zGYRisdXmu5cAwhq.ccYK12HPHeliKY2_4F0yG31gHA
Source: global traffic	HTTP traffic detected: GET /QRF01zv.png HTTP/1.1Host: i.imgur.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque.png HTTP/1.1Host: local21news.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-flag-90af55d793544fe1893f26677661a4252761afbe811fab0eced85c67bc82f984.png HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/assets/sei-styles-1837e0b6e1baaf1af90438028a176241b70a365a8a09ff4bf668cf3bf9e3c759.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque.png HTTP/1.1Host: local21news.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /assets/sei-flag-90af55d793544fe1893f26677661a4252761afbe811fab0eced85c67bc82f984.png HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: 2fa.com-token-auth.com
Source: global traffic	DNS traffic detected: DNS query: secured-login.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: s3.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: cdn2.hubspot.net
Source: global traffic	DNS traffic detected: DNS query: i.imgur.com
Source: global traffic	DNS traffic detected: DNS query: local21news.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: ad004bda-21ff-481d-86a1-606e5c304622X-Runtime: 0.012616Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 327af3d4-98c4-4339-9dfd-957927c37619X-Runtime: 0.031259Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 02704279-caea-4b7b-a1f8-73abcc3fb0c2X-Runtime: 0.015009Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:52 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 513fc814-98d8-43a8-a871-8dc60fac7153X-Runtime: 0.011269Strict-Transport-Security: max-age=63113904; includeSubDomains; preload
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Jan 2025 20:12:54 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINX-XSS-Protection: 0X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneReferrer-Policy: strict-origin-when-cross-originCache-Control: no-cacheContent-Security-Policy: X-Request-Id: 46638330-df2e-4e06-bef4-f7b1785d7f55X-Runtime: 0.016023Strict-Transport-Security: max-age=63113904; includeSubDomains; preload

Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: chromecache_200.11.dr	String found in binary or memory: http://getbootstrap.com)
Source: chromecache_201.11.dr	String found in binary or memory: http://preview.training.knowbe4.com/XdCt3bFlxamE1ZFYrZVF6TlpxdVNCK3JlQURvb3d0VTBmVDVFemdrWjZiTGhBc09
Source: 2D85F72862B55C4EADD9E66E06947F3D0.1.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XK0IrQUd5MStubVlIaU9uSm9yT003MjZ4M0xKMWxZYllPNW9zOUNyUks2SktRTDY5M29z
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XTGNadUJqbTVmQ0tPcC9iT1l5WWp2bFkrdVdyUkhnamlaN1dPckEzL2Z3V1dNRzhWZ2Qw
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhL
Source: Mystery_Check.pdf	String found in binary or memory: https://2fa.com-token-auth.com/Xa2xGbk9xNlJ6aXYwWC9hc3JsM2ExZFUrTUczVmpKM3JpOUxML3NjZUFtZThIMTRPMUlO
Source: chromecache_201.11.dr	String found in binary or memory: https://cdn2.hubspot.net/hubfs/241394/html_file/files/img/KB4-logo.png
Source: chromecache_201.11.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css
Source: chromecache_201.11.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Open
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4iaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4jaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4kaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4saVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4taVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4vaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5OaVI
Source: chromecache_196.11.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B5caVI
Source: chromecache_200.11.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: chromecache_201.11.dr	String found in binary or memory: https://i.imgur.com/QRF01zv.png
Source: chromecache_201.11.dr	String found in binary or memory: https://local21news.com/resources/media/66957295-71c0-4507-9d79-f81211d0fcce-large16x9_blurredcheque
Source: chromecache_201.11.dr	String found in binary or memory: https://s3.amazonaws.com/helpimg/landing_pages/css/dd.css
Source: chromecache_211.11.dr	String found in binary or memory: https://secured-login.net/pages/5b6e2d87961b/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

System Summary

Found potential malicious PDF (bad image similarity)

Source: Mystery_Check.pdf

Static PDF information: Image stream: 21

Source: classification engine

Classification label: mal76.phis.winPDF@39/94@25/14

Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XK0IrQUd5MStubVlIaU9uSm9yT003MjZ4M0xKMWxZYllPNW9zOUNyUks2SktRTDY5M29zVEhueE0yZjNZS1BoSkZJZWJHMjE2NDJsekhmSDNQWDN5dDA3NXlYcWhtWFpaSE1SNy9lbTUrZ3pjMUdReGVpMWVHaUhrV0dXczlJY0lyckpLVG1EUFBpaFJHMjVVd05jbGxhemxROXJmV0xQSUdVYVNNZzVMR0FKamxKM1l1d1N0dXcxR2FBPT0tLS9TMFJtajdXQUJKS2IwNWctLU5uZlBTZXgvWlVpQzY4dmJZNHJFV3c9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XTGNadUJqbTVmQ0tPcC9iT1l5WWp2bFkrdVdyUkhnamlaN1dPckEzL2Z3V1dNRzhWZ2QwTUFhQUtsVUZhRHYwaFpjUGV3VnBPZjVlWXNGc3FRdzlkUDA1aVJoZjk1cm52RFM5UmQzYS96blFDU0czT2xtRGRpUTVXU0J4ekErMVQ3eXgrU0RJR3NDYjVlTkZEb2dNK1RHZXU3TEpWM2pYTEpsUEJEdy9CTnE3MXlOQktQOGxySTlSQ3J3PT0tLUZRdlV1RFppREt1dyticC8tLWk4YzdTbHMxZVNLQyt6ejhudS9tNWc9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xk0irqud5mstubvliau9usm9yt003mjz4m0xkmwxzyllpnw9zounyuks2sktrtdy5m29zvehuee0yzjnzs1boskzjzwjhmje2ndjsekhmsdnqwdn5dda3nxlycwhtwfpase1sny9lbturz3pjmudregvpmwvhauhrv0dxczljy0lyckplvg1eufbpafjhmjvvd05jbgxhemxroxjmv0xqsudvyvnnzzvmr0fkamxkm1l1d1n0dxcxr2fbpt0tls9tmfjtajdxqujks2iwnwctlu5uzlbtzxgvwlvpqzy4dmjznhjfv3c9pq==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xtgnadujqbtvmq0tpcc9it1l5wwp2bfkrdvdyukhnamlan1dpckezl2z3v1dnrzhwz2qwtufhqutsvuzhrhywafpjugv3vnbpzjvlwxngc3frdzlkuda1avjozjk1cm52rfm5umqzys96blfdu0czt2xtrgrputvxu0j4ekermvq3exgru0rjr3ndyjvltkzeb2dnk1rhzxu3tepwm2pytepsuejedy9ctne3mxloqktqogxystlsq3j3pt0tluzrdlv1rfppret1dyticc8tlwk4yzdtbhmxzvnlqyt6ejhuds9tnwc9pq==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351
Source: Mystery_Check.pdf	Initial sample: https://2fa.com-token-auth.com/xuw5oq1azdmjvoer6bxrvsst5q0tbtvoztw1imwxrr1ryze1kwuh0s0rtzwptzw1bcxhlskl5zgvsctrnzxlrbjl3rtkwcfheovb4qvbzm1o3wk55dxnlvu15bhbldwswnenzskhkvtqzskiywg5lttzlz2jyu2xotkpouxvic3i5qldnwvlwcwvymgnra0prawnxtfdomstqly9ozhrgd2k1exzml3mwdffxtfrwb2qwl3e4dkl2avdrpt0tlupouvvhuvhkyloxuzlgbeitlupvwwvkruzjuhnfd1p0wxlcblvjcfe9pq==?cid=2358647351

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-15 15-11-23-776.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\Mystery_Check.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2144 --field-trial-handle=1568,i,15199389771524615251,12025059695965693712,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://2fa.com-token-auth.com/XUW5oQ1AzdmJVOER6bXRVSSt5Q0tBTVozTW1IMWxRR1RyZE1KWUh0S0RtZWptZW1BcXhLSkl5ZGVscTRnZXlrbjl3RTkwcFhEOVB4QVBZM1o3Wk55dXNlVU15bHBldWswNENZSkhkVTQzSkIyWG5LTTZLZ2JYU2xOTkpOUXVIc3I5QldNWVlwcWVYMGNRa0pRaWNXTFdoMStqLy9oZHRGd2k1eXZmL3MwdFFXTFRwb2QwL3E4dkl2aVdRPT0tLUpoUVVHUVhkYloxUzlGbEItLUpvWWVKRUZjUHNFd1p0WXlCblVJcFE9PQ==?cid=2358647351"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=1908,i,13338171944133119390,15991037629013602393,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2144 --field-trial-handle=1568,i,15199389771524615251,12025059695965693712,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=1908,i,13338171944133119390,15991037629013602393,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Mystery_Check.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: Mystery_Check.pdf

Initial sample: PDF keyword obj count = 54

PDF has an OpenAction (likely to launch a dropper script)

Source: Mystery_Check.pdf

Initial sample: PDF keyword /OpenAction

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

ID:	1592167
Product:	CloudBasic
Start time:	21:10:26
Start date:	15.01.2025
Sample:	Mystery_Check.pdf
Cookbook:	defaultwindowspdfcookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fd2747b9a183d512b9235d9f1253351d
SHA1:	5a4419259e8bd345d69fce0b3de5858daf0ad8a3
SHA256:	7ed35c2e41b80fd5f5413449376ed956ca87ff278309a7bf0e839f60453b21ca
Filetype:	Adobe Portable Document Format (5005/1) 100.00%

Windows Analysis Report
Mystery_Check.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report Mystery_Check.pdf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Phishing

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Mystery_Check.pdf