Loading ...

Analysis Report hernon9021.pdf

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109763
Start date:11.02.2019
Start time:17:29:17
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:hernon9021.pdf
Cookbook file name:defaultwindowspdfcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winPDF@23/45@5/4
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .pdf
  • Found PDF document
  • Find and activate links
  • Security Warning found
  • Close Viewer
  • Browsing link: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution3Winlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: cunery.mypi.covirustotal: Detection: 8%Perma Link
Source: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlvirustotal: Detection: 13%Perma Link

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: mypi.co
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49799 -> 210.16.100.46:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49799 -> 210.16.100.46:443

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.25.157.13 104.25.157.13
Source: Joe Sandbox ViewIP Address: 3.3.0.2 3.3.0.2
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: AS40676-PsychzNetworksUS AS40676-PsychzNetworksUS
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /icons/alecive/flatwoken/128/Apps-Pdf-icon.png HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: icons.iconarchive.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa997f618,0x01d4c272</date><accdate>0xa997f618,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa997f618,0x01d4c272</date><accdate>0xa99ceec0,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa9b1d551,0x01d4c272</date><accdate>0xa9b1d551,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa9b1d551,0x01d4c272</date><accdate>0xa9b1d551,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa9b6ad8c,0x01d4c272</date><accdate>0xa9b6ad8c,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa9b6ad8c,0x01d4c272</date><accdate>0xa9b6ad8c,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mypi.co
Urls found in memory or binary dataShow sources
Source: imagestore.dat.14.dr, UntitledNotebook1[1].htm.14.drString found in binary or memory: http://icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
Source: msapplication.xml.13.drString found in binary or memory: http://www.amazon.com/
Source: element_main[1].js.14.drString found in binary or memory: http://www.broofa.com
Source: msapplication.xml1.13.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.13.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.13.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.13.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.13.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.13.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.13.drString found in binary or memory: http://www.youtube.com/
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.my
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.myRoot
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: hernon9021.pdfString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html)
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html6AdobeCloudFile-Document.PDF
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlRoot
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#
Source: UntitledNotebook1[1].htm.14.drString found in binary or memory: https://static.adobelogin.com/clients/adobe_document_cloud/045110ca15262c13aa37af60dbb4b51a.png
Source: element_main[1].js.14.drString found in binary or memory: https://translate.google.com
Source: {D36A749D-2E65-11E9-AAD9-C25F135D3C65}.dat.13.drString found in binary or memory: https://translate.googleapis.com/translate_static/css/translateelement.css
Source: element_main[1].js.14.drString found in binary or memory: https://www.google.com/images/cleardot.gif
Source: element_main[1].js.14.drString found in binary or memory: https://www.google.com/support/translate
Source: element_main[1].js.14.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_42x16dp.png
Source: element_main[1].js.14.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_68x28dp.png
Source: element_main[1].js.14.drString found in binary or memory: https://www.gstatic.com/images/branding/product/1x/translate_24dp.png
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winPDF@23/45@5/4
Clickable URLs found in PDFShow sources
Source: hernon9021.pdfInitial sample: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: hernon9021.pdfInitial sample: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIconsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rmw9nuk_1b1mlu3_1bk.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\hernon9021.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\hernon9021.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=D95187B71815B8C151A83957F223E291 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B9AD549FA9FA149BD5010AE9128E3088 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=11AE001AD5261991B4AA0F51BBC34F37 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=C7C0DE218B4C978C45FAD91552F15485 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=DF1AAA31C71C0990C997C88504A156F8 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=624083835C4C51A9B81F887DA4AC928E --mojo-platform-channel-handle=2820 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe' /PRODUCT:Reader /VERSION:19.0 /MODE:3
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5684 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\hernon9021.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe' /PRODUCT:Reader /VERSION:19.0 /MODE:3Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=D95187B71815B8C151A83957F223E291 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B9AD549FA9FA149BD5010AE9128E3088 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=11AE001AD5261991B4AA0F51BBC34F37 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=C7C0DE218B4C978C45FAD91552F15485 --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=DF1AAA31C71C0990C997C88504A156F8 --mojo-platform-channel-handle=2732 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=624083835C4C51A9B81F887DA4AC928E --mojo-platform-channel-handle=2820 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5684 CREDAT:17410 /prefetch:2Jump to behavior
Writes ini filesShow sources
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeFile written: C:\Users\user\AppData\Local\Temp\ArmUI.iniJump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
PDF has a JavaScript or JS counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword /JS count = 0
Source: hernon9021.pdfInitial sample: PDF keyword /JavaScript count = 0
PDF has a stream counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword stream count = 46
PDF has an EmbeddedFile counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
PDF has an obj counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword obj count = 63

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 109763 Sample: hernon9021.pdf Startdate: 11/02/2019 Architecture: WINDOWS Score: 48 41 Multi AV Scanner detection for domain / URL 2->41 7 AcroRd32.exe 15 42 2->7         started        process3 process4 9 iexplore.exe 6 84 7->9         started        12 RdrCEF.exe 5 7->12         started        14 AcroRd32.exe 5 8 7->14         started        16 AdobeARM.exe 19 7->16         started        dnsIp5 37 cunery.mypi.co 9->37 18 iexplore.exe 49 9->18         started        21 RdrCEF.exe 12->21         started        23 RdrCEF.exe 12->23         started        25 RdrCEF.exe 12->25         started        27 3 other processes 12->27 39 mypi.co 14->39 process6 dnsIp7 29 cunery.mypi.co 210.16.100.46, 443, 49799, 49800 AS40676-PsychzNetworksUS India 18->29 31 icons.iconarchive.com 104.25.157.13, 49811, 49812, 80 CLOUDFLARENET-CloudFlareIncUS United States 18->31 35 3 other IPs or domains 18->35 33 3.3.0.2 AS3215FR United States 21->33

Simulations

Behavior and APIs

TimeTypeDescription
17:30:14API Interceptor1x Sleep call for process: RdrCEF.exe modified
17:30:19API Interceptor2x Sleep call for process: AcroRd32.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
hernon9021.pdf5%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLinkDownload
cunery.mypi.co9%virustotalBrowseDownload File
mypi.co0%virustotalBrowseDownload File

URLs

SourceDetectionScannerLabelLinkDownload
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html13%virustotalBrowseDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlRoot0%Avira URL CloudsafeDownload File
https://cunery.myRoot0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html)0%Avira URL CloudsafeDownload File
https://cunery.my0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html6AdobeCloudFile-Document.PDF0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
13.35.251.66https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
    104.25.157.13PO231231.htmlGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/emey87/social-button/128/yahoo-icon.png
    PO77329.xlsx.htmlGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/emey87/social-button/128/yahoo-icon.png
    https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
    • icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
    http://novaexplicatio.com/pato/venza/index.phpGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/carlosjj/microsoft-office-2013/256/Outlook-icon.png
    https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
    3.3.0.2Payment Advice Note#1543338742.pdfGet hashmaliciousBrowse
      Proposal.pdfGet hashmaliciousBrowse
        payment copy.pdfGet hashmaliciousBrowse
          rapidFax message 2.pdfGet hashmaliciousBrowse
            Doc.pdfGet hashmaliciousBrowse
              Quotation189.pdfGet hashmaliciousBrowse
                Info Alexander.pdfGet hashmaliciousBrowse
                  Crowley_Proposal.pdfGet hashmaliciousBrowse
                    Finance Projects.pdfGet hashmaliciousBrowse
                      WestpacOne#Statement.pdfGet hashmaliciousBrowse
                        TripAdvisorForm.exeGet hashmaliciousBrowse
                          sample.pdfGet hashmaliciousBrowse
                            DOC1212122211111.pdfGet hashmaliciousBrowse
                              BACS_img_95083423487.pdfGet hashmaliciousBrowse
                                Updated SOW.pdfGet hashmaliciousBrowse
                                  Invoicepng (1).pdfGet hashmaliciousBrowse
                                    Mobile_Legend-Invoice#J1HD3K67O3K.pdfGet hashmaliciousBrowse
                                      Thankyou-Receipt#98415483.pdfGet hashmaliciousBrowse
                                        pdf1.pdfGet hashmaliciousBrowse
                                          invoice_receipt.pdfGet hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            dd20fzx9mj46f.cloudfront.nethttp://bullah.iljmp.com/1/niyyrGet hashmaliciousBrowse
                                            • 143.204.236.66
                                            http://bullah.iljmp.com/1/niyyrGet hashmaliciousBrowse
                                            • 143.204.236.66
                                            https://gitlab.com/anasilva1fui9b3qx/0800/raw/master/Dezembro-vivo.rarGet hashmaliciousBrowse
                                            • 13.32.152.221
                                            Sample_UIS Insurance & Investments Excel Document.htmlGet hashmaliciousBrowse
                                            • 52.222.145.10
                                            1Lighthouselectric_Payment.pdfGet hashmaliciousBrowse
                                            • 13.32.152.250
                                            https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
                                            • 13.35.251.66
                                            https://ringrung.gb.net/cgi2/nsw/data/Get hashmaliciousBrowse
                                            • 13.32.4.236
                                            https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
                                            • 143.204.91.66
                                            https://biomerieux-my.sharepoint.com/:u:/p/nadia_ward/EZaYqS0CGjlGuAgm9HE0NOIBn8Vqi1AfBdb1RxUUB8j-5g?e=OtwV5UGet hashmaliciousBrowse
                                            • 13.32.156.176
                                            https://mainevent-my.sharepoint.com/:u:/p/kasales1/EQnOn5gKkd5Fu1NzaVO9Zc4B2SVvkyIa6NgDRM0QFn-9fA?e=gpg56cGet hashmaliciousBrowse
                                            • 143.204.171.68
                                            icons.iconarchive.comPO231231.htmlGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            PO77329.xlsx.htmlGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
                                            • 104.25.157.13
                                            http://novaexplicatio.com/pato/venza/index.phpGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://ringrung.gb.net/cgi2/nsw/data/Get hashmaliciousBrowse
                                            • 104.25.156.13
                                            https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://biomerieux-my.sharepoint.com/:u:/p/nadia_ward/EZaYqS0CGjlGuAgm9HE0NOIBn8Vqi1AfBdb1RxUUB8j-5g?e=OtwV5UGet hashmaliciousBrowse
                                            • 104.25.156.13
                                            https://mainevent-my.sharepoint.com/:u:/p/kasales1/EQnOn5gKkd5Fu1NzaVO9Zc4B2SVvkyIa6NgDRM0QFn-9fA?e=gpg56cGet hashmaliciousBrowse
                                            • 104.25.156.13

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AS40676-PsychzNetworksUS59PO.exeGet hashmaliciousBrowse
                                            • 104.216.190.180
                                            30PO-1639.exeGet hashmaliciousBrowse
                                            • 23.238.204.43
                                            55swift001.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            45Invitation0001.exe.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            43Payment Advice.jsGet hashmaliciousBrowse
                                            • 45.35.198.85
                                            28SCAN-113-PDF.exeGet hashmaliciousBrowse
                                            • 181.215.49.104
                                            19proforma.exeGet hashmaliciousBrowse
                                            • 107.160.176.98
                                            mon1goss2glas1pan9-ossus-west-oss-us-east.oss-us-west-1.aliyuncs.com/yg1sun2glass3ray0.htmlGet hashmaliciousBrowse
                                            • 104.216.205.221
                                            0 -2018.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            26Re (RFQ) HLG-21665 - HLG SLB & ENI MGS BGCS 3 & 5 - RFQ PROJECT (OPEN QUOTE) Quote #HLG.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            Lx9gbXEjct.exeGet hashmaliciousBrowse
                                            • 172.107.144.181
                                            15Payment Details.exeGet hashmaliciousBrowse
                                            • 172.107.10.245
                                            58B O Q.exeGet hashmaliciousBrowse
                                            • 23.238.204.86
                                            15payment slip.exeGet hashmaliciousBrowse
                                            • 172.107.10.27
                                            hdu62SAmq.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            29doc34567876543235 Pdf.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            temp60930.docGet hashmaliciousBrowse
                                            • 172.107.157.126
                                            58SP.exeGet hashmaliciousBrowse
                                            • 23.238.204.91
                                            29invoice.exeGet hashmaliciousBrowse
                                            • 104.216.239.18
                                            Inquiry.docGet hashmaliciousBrowse
                                            • 172.106.170.85
                                            ATT-INTERNET4-ATTServicesIncUS57messag.exeGet hashmaliciousBrowse
                                            • 172.20.52.98
                                            11youtubeer@youtube.exeGet hashmaliciousBrowse
                                            • 12.223.95.117
                                            3transcrip.exeGet hashmaliciousBrowse
                                            • 172.16.76.2
                                            9DOCUMEN.exeGet hashmaliciousBrowse
                                            • 172.20.23.202
                                            21gjj.exeGet hashmaliciousBrowse
                                            • 12.47.250.242
                                            .exeGet hashmaliciousBrowse
                                            • 172.31.11.13
                                            4181rBFqtShk.exeGet hashmaliciousBrowse
                                            • 172.16.33.58
                                            19ATTACHMENT.EXEGet hashmaliciousBrowse
                                            • 172.28.50.82
                                            51youtube.exeGet hashmaliciousBrowse
                                            • 67.125.232.16
                                            1text.exeGet hashmaliciousBrowse
                                            • 68.92.196.74
                                            65Fil.exeGet hashmaliciousBrowse
                                            • 172.16.2.150
                                            25youtube.exeGet hashmaliciousBrowse
                                            • 67.64.125.225
                                            1xgh@taixin.exeGet hashmaliciousBrowse
                                            • 12.217.205.6
                                            kovter.exeGet hashmaliciousBrowse
                                            • 166.73.24.129
                                            8b9eaeff00382210a583a0b5611c1d3f_976b00382cbb63c03e8fcd6677e4f973_Kovter.exeGet hashmaliciousBrowse
                                            • 32.101.186.232
                                            3john@youtube.exeGet hashmaliciousBrowse
                                            • 67.119.8.4
                                            37readm.exeGet hashmaliciousBrowse
                                            • 172.16.17.54
                                            17yeH6QNgQKp.exeGet hashmaliciousBrowse
                                            • 172.17.32.252
                                            51attachment.exeGet hashmaliciousBrowse
                                            • 172.30.20.188
                                            5messag.exeGet hashmaliciousBrowse
                                            • 172.16.210.56

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            9e10692f1b7f78228b2d4e424db3a98cDOC1212122211111.pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://cardinalhealth.finance/disribution/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://here.skynnovations.com/availible/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.bit.ly/uBbdpe4BxwwuRFnfWgrj?dyu=pascal.martinet@safety-cuttingtools.com&&25.63.34.80&&cc0_34k3=safety-cuttingtools.com&sr=pascal.martinet@safety-cuttingtools.com&NOI8E6JE=safety-cuttingtools.com&sc-3d=pascal.martinet@safety-cuttingtools.com&&7165&&cc0_34k3=pascal%20martinet&YY0G3FG=safety-cuttingtools.com&sc-3d=pascal.martinet@safety-cuttingtools.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://store.zionshope.orgGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://ware.in.net/pro/Onedrive/index.phpGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Updated SOW.pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.egtenterprise.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://www.truesyd.com.au/000/Ovvice1/?VFSG!=Linda.Conacher@justice.wa.gov.auGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://www.truesyd.com.au/000/Ovvice1/?VFSG!=Linda.Conacher@justice.wa.gov.auGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.zionshope.orgGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Invoicepng (1).pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Review.xpsGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://lootart.com/qtext/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://meadowss.gqGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://nameserverip.xyz/sgn/D2019HLGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://orlando.in.net/G5?POP!=jmarker@ckr.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://angleshelf.sharepoint.com/:b:/s/ShapiroMasseyLLC/EZ2wTj09HkpIouJm6biidOwBQ1TN1ia5jLFP6D3lYHu1_Q?e=KJ4ytmGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://thedevcomp.net/pop/login/index.phpGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://tryanmcv.com/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-userid&userid=Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66

                                            Dropped Files

                                            No context

                                            Screenshots

                                            Thumbnails

                                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.