Loading ...

Analysis Report hernon9021.pdf

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109764
Start date:11.02.2019
Start time:17:29:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:hernon9021.pdf
Cookbook file name:defaultwindowspdfcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winPDF@21/40@5/4
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .pdf
  • Found PDF document
  • Find and activate links
  • Security Warning found
  • Close Viewer
  • Browsing link: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution3Winlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: cunery.mypi.covirustotal: Detection: 8%Perma Link
Source: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlvirustotal: Detection: 13%Perma Link

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: mypi.co
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49812 -> 210.16.100.46:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49812 -> 210.16.100.46:443

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.25.157.13 104.25.157.13
Source: Joe Sandbox ViewIP Address: 3.3.0.2 3.3.0.2
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: AS40676-PsychzNetworksUS AS40676-PsychzNetworksUS
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /icons/alecive/flatwoken/128/Apps-Pdf-icon.png HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: icons.iconarchive.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa921f11c,0x01d4c272</date><accdate>0xa921f11c,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa921f11c,0x01d4c272</date><accdate>0xa9245a24,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa92929e5,0x01d4c272</date><accdate>0xa92929e5,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa92929e5,0x01d4c272</date><accdate>0xa92b9efa,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa92e00f6,0x01d4c272</date><accdate>0xa92e00f6,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa92e00f6,0x01d4c272</date><accdate>0xa92e00f6,0x01d4c272</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mypi.co
Urls found in memory or binary dataShow sources
Source: imagestore.dat.15.dr, UntitledNotebook1[1].htm.15.drString found in binary or memory: http://icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
Source: msapplication.xml.14.drString found in binary or memory: http://www.amazon.com/
Source: element_main[1].js.15.drString found in binary or memory: http://www.broofa.com
Source: msapplication.xml1.14.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.14.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.14.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.14.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.14.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.14.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.14.drString found in binary or memory: http://www.youtube.com/
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.my
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.myRoot
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: hernon9021.pdfString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html)
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html6AdobeCloudFile-Document.PDF
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlRoot
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#
Source: UntitledNotebook1[1].htm.15.drString found in binary or memory: https://static.adobelogin.com/clients/adobe_document_cloud/045110ca15262c13aa37af60dbb4b51a.png
Source: element_main[1].js.15.drString found in binary or memory: https://translate.google.com
Source: {D3138404-2E65-11E9-AADE-9CC1A2A860C6}.dat.14.drString found in binary or memory: https://translate.googleapis.com/translate_static/css/translateelement.css
Source: element_main[1].js.15.drString found in binary or memory: https://www.google.com/images/cleardot.gif
Source: element_main[1].js.15.drString found in binary or memory: https://www.google.com/support/translate
Source: element_main[1].js.15.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_42x16dp.png
Source: element_main[1].js.15.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_68x28dp.png
Source: element_main[1].js.15.drString found in binary or memory: https://www.gstatic.com/images/branding/product/1x/translate_24dp.png
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.winPDF@21/40@5/4
Clickable URLs found in PDFShow sources
Source: hernon9021.pdfInitial sample: https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: hernon9021.pdfInitial sample: https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIconsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rdn6zj8_3i6faj_2hs.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\hernon9021.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\hernon9021.pdf'
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=24E21ABF0F8E9575E15A62DC941AB752 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1D50DF8EC5F4C2E8EDFB78D6191E8B7C --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=79DF1E542BDD60AAC86DB7759744E998 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=E709F9EEEBBD1E7821CFA2AF3AA720A9 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=8BA31DC43BE84A0D785DB7F01C0761AD --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=A48E3290B6581444E4D0D9D14729BABB --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4184 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\hernon9021.pdf'Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=24E21ABF0F8E9575E15A62DC941AB752 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1D50DF8EC5F4C2E8EDFB78D6191E8B7C --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=79DF1E542BDD60AAC86DB7759744E998 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,355Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=E709F9EEEBBD1E7821CFA2AF3AA720A9 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=8BA31DC43BE84A0D785DB7F01C0761AD --mojo-platform-channel-handle=2608 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=A48E3290B6581444E4D0D9D14729BABB --mojo-platform-channel-handle=2784 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4184 CREDAT:17410 /prefetch:2Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
PDF has a JavaScript or JS counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword /JS count = 0
Source: hernon9021.pdfInitial sample: PDF keyword /JavaScript count = 0
PDF has a stream counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword stream count = 46
PDF has an EmbeddedFile counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
PDF has an obj counter value indicative of goodwareShow sources
Source: hernon9021.pdfInitial sample: PDF keyword obj count = 63

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 109764 Sample: hernon9021.pdf Startdate: 11/02/2019 Architecture: WINDOWS Score: 48 39 Multi AV Scanner detection for domain / URL 2->39 7 AcroRd32.exe 15 41 2->7         started        process3 process4 9 iexplore.exe 3 84 7->9         started        12 RdrCEF.exe 5 7->12         started        14 AcroRd32.exe 5 8 7->14         started        dnsIp5 35 cunery.mypi.co 9->35 16 iexplore.exe 1 50 9->16         started        19 RdrCEF.exe 12->19         started        21 RdrCEF.exe 12->21         started        23 RdrCEF.exe 12->23         started        25 3 other processes 12->25 37 mypi.co 14->37 process6 dnsIp7 27 cunery.mypi.co 210.16.100.46, 443, 49812, 49813 AS40676-PsychzNetworksUS India 16->27 29 icons.iconarchive.com 104.25.157.13, 49824, 49825, 80 CLOUDFLARENET-CloudFlareIncUS United States 16->29 33 3 other IPs or domains 16->33 31 3.3.0.2 AS3215FR United States 19->31

Simulations

Behavior and APIs

TimeTypeDescription
17:30:14API Interceptor1x Sleep call for process: RdrCEF.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
hernon9021.pdf5%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLinkDownload
cunery.mypi.co9%virustotalBrowseDownload File
mypi.co0%virustotalBrowseDownload File

URLs

SourceDetectionScannerLabelLinkDownload
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html13%virustotalBrowseDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.htmlRoot0%Avira URL CloudsafeDownload File
https://cunery.myRoot0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html)0%Avira URL CloudsafeDownload File
https://cunery.my0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/untitlednotebook1.html#0%Avira URL CloudsafeDownload File
https://cunery.mypi.co/wp-admin/cgi/UntitledNotebook1.html6AdobeCloudFile-Document.PDF0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
13.35.251.66https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
    104.25.157.13PO231231.htmlGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/emey87/social-button/128/yahoo-icon.png
    PO77329.xlsx.htmlGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/emey87/social-button/128/yahoo-icon.png
    https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
    • icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
    http://novaexplicatio.com/pato/venza/index.phpGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/carlosjj/microsoft-office-2013/256/Outlook-icon.png
    https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
    • icons.iconarchive.com/icons/alecive/flatwoken/128/Apps-Pdf-icon.png
    3.3.0.2Payment Advice Note#1543338742.pdfGet hashmaliciousBrowse
      Proposal.pdfGet hashmaliciousBrowse
        payment copy.pdfGet hashmaliciousBrowse
          rapidFax message 2.pdfGet hashmaliciousBrowse
            Doc.pdfGet hashmaliciousBrowse
              Quotation189.pdfGet hashmaliciousBrowse
                Info Alexander.pdfGet hashmaliciousBrowse
                  Crowley_Proposal.pdfGet hashmaliciousBrowse
                    Finance Projects.pdfGet hashmaliciousBrowse
                      WestpacOne#Statement.pdfGet hashmaliciousBrowse
                        TripAdvisorForm.exeGet hashmaliciousBrowse
                          sample.pdfGet hashmaliciousBrowse
                            DOC1212122211111.pdfGet hashmaliciousBrowse
                              BACS_img_95083423487.pdfGet hashmaliciousBrowse
                                Updated SOW.pdfGet hashmaliciousBrowse
                                  Invoicepng (1).pdfGet hashmaliciousBrowse
                                    Mobile_Legend-Invoice#J1HD3K67O3K.pdfGet hashmaliciousBrowse
                                      Thankyou-Receipt#98415483.pdfGet hashmaliciousBrowse
                                        pdf1.pdfGet hashmaliciousBrowse
                                          invoice_receipt.pdfGet hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            dd20fzx9mj46f.cloudfront.nethttp://bullah.iljmp.com/1/niyyrGet hashmaliciousBrowse
                                            • 143.204.236.66
                                            http://bullah.iljmp.com/1/niyyrGet hashmaliciousBrowse
                                            • 143.204.236.66
                                            https://gitlab.com/anasilva1fui9b3qx/0800/raw/master/Dezembro-vivo.rarGet hashmaliciousBrowse
                                            • 13.32.152.221
                                            Sample_UIS Insurance & Investments Excel Document.htmlGet hashmaliciousBrowse
                                            • 52.222.145.10
                                            1Lighthouselectric_Payment.pdfGet hashmaliciousBrowse
                                            • 13.32.152.250
                                            https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
                                            • 13.35.251.66
                                            https://ringrung.gb.net/cgi2/nsw/data/Get hashmaliciousBrowse
                                            • 13.32.4.236
                                            https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
                                            • 143.204.91.66
                                            https://biomerieux-my.sharepoint.com/:u:/p/nadia_ward/EZaYqS0CGjlGuAgm9HE0NOIBn8Vqi1AfBdb1RxUUB8j-5g?e=OtwV5UGet hashmaliciousBrowse
                                            • 13.32.156.176
                                            https://mainevent-my.sharepoint.com/:u:/p/kasales1/EQnOn5gKkd5Fu1NzaVO9Zc4B2SVvkyIa6NgDRM0QFn-9fA?e=gpg56cGet hashmaliciousBrowse
                                            • 143.204.171.68
                                            icons.iconarchive.comPO231231.htmlGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            PO77329.xlsx.htmlGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://joinmy.site/7H4F5I\Get hashmaliciousBrowse
                                            • 104.25.157.13
                                            http://novaexplicatio.com/pato/venza/index.phpGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://ringrung.gb.net/cgi2/nsw/data/Get hashmaliciousBrowse
                                            • 104.25.156.13
                                            https://dciusastl-my.sharepoint.com/:u:/g/personal/peter_schuenke_dciusa_com/EcynMKcVtexAiYrn3RUd8asBvBD7Pbkt7CPH9o3SxVVG4Q?e=kPLfPoGet hashmaliciousBrowse
                                            • 104.25.157.13
                                            https://biomerieux-my.sharepoint.com/:u:/p/nadia_ward/EZaYqS0CGjlGuAgm9HE0NOIBn8Vqi1AfBdb1RxUUB8j-5g?e=OtwV5UGet hashmaliciousBrowse
                                            • 104.25.156.13
                                            https://mainevent-my.sharepoint.com/:u:/p/kasales1/EQnOn5gKkd5Fu1NzaVO9Zc4B2SVvkyIa6NgDRM0QFn-9fA?e=gpg56cGet hashmaliciousBrowse
                                            • 104.25.156.13

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AS40676-PsychzNetworksUS59PO.exeGet hashmaliciousBrowse
                                            • 104.216.190.180
                                            30PO-1639.exeGet hashmaliciousBrowse
                                            • 23.238.204.43
                                            55swift001.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            45Invitation0001.exe.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            43Payment Advice.jsGet hashmaliciousBrowse
                                            • 45.35.198.85
                                            28SCAN-113-PDF.exeGet hashmaliciousBrowse
                                            • 181.215.49.104
                                            19proforma.exeGet hashmaliciousBrowse
                                            • 107.160.176.98
                                            mon1goss2glas1pan9-ossus-west-oss-us-east.oss-us-west-1.aliyuncs.com/yg1sun2glass3ray0.htmlGet hashmaliciousBrowse
                                            • 104.216.205.221
                                            0 -2018.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            26Re (RFQ) HLG-21665 - HLG SLB & ENI MGS BGCS 3 & 5 - RFQ PROJECT (OPEN QUOTE) Quote #HLG.exeGet hashmaliciousBrowse
                                            • 23.238.204.2
                                            Lx9gbXEjct.exeGet hashmaliciousBrowse
                                            • 172.107.144.181
                                            15Payment Details.exeGet hashmaliciousBrowse
                                            • 172.107.10.245
                                            58B O Q.exeGet hashmaliciousBrowse
                                            • 23.238.204.86
                                            15payment slip.exeGet hashmaliciousBrowse
                                            • 172.107.10.27
                                            hdu62SAmq.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            29doc34567876543235 Pdf.exeGet hashmaliciousBrowse
                                            • 45.34.5.53
                                            temp60930.docGet hashmaliciousBrowse
                                            • 172.107.157.126
                                            58SP.exeGet hashmaliciousBrowse
                                            • 23.238.204.91
                                            29invoice.exeGet hashmaliciousBrowse
                                            • 104.216.239.18
                                            Inquiry.docGet hashmaliciousBrowse
                                            • 172.106.170.85

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            9e10692f1b7f78228b2d4e424db3a98cDOC1212122211111.pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://cardinalhealth.finance/disribution/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://here.skynnovations.com/availible/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.bit.ly/uBbdpe4BxwwuRFnfWgrj?dyu=pascal.martinet@safety-cuttingtools.com&&25.63.34.80&&cc0_34k3=safety-cuttingtools.com&sr=pascal.martinet@safety-cuttingtools.com&NOI8E6JE=safety-cuttingtools.com&sc-3d=pascal.martinet@safety-cuttingtools.com&&7165&&cc0_34k3=pascal%20martinet&YY0G3FG=safety-cuttingtools.com&sc-3d=pascal.martinet@safety-cuttingtools.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://store.zionshope.orgGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://ware.in.net/pro/Onedrive/index.phpGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Updated SOW.pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.egtenterprise.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://www.truesyd.com.au/000/Ovvice1/?VFSG!=Linda.Conacher@justice.wa.gov.auGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://www.truesyd.com.au/000/Ovvice1/?VFSG!=Linda.Conacher@justice.wa.gov.auGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://www.zionshope.orgGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Invoicepng (1).pdfGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            Review.xpsGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://lootart.com/qtext/Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            http://meadowss.gqGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://nameserverip.xyz/sgn/D2019HLGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://orlando.in.net/G5?POP!=jmarker@ckr.comGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://angleshelf.sharepoint.com/:b:/s/ShapiroMasseyLLC/EZ2wTj09HkpIouJm6biidOwBQ1TN1ia5jLFP6D3lYHu1_Q?e=KJ4ytmGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://thedevcomp.net/pop/login/index.phpGet hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66
                                            https://tryanmcv.com/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid.13InboxLight.aspxn.1774256418&fid.125289964252813InboxLight99642_Product-userid&userid=Get hashmaliciousBrowse
                                            • 210.16.100.46
                                            • 13.35.251.66

                                            Dropped Files

                                            No context

                                            Screenshots

                                            Thumbnails

                                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.