Edit tour

Windows Analysis Report
Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Overview

General Information

Sample name:	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Analysis ID:	1454351
MD5:	9ad1097ef6d23a86d4b9327e54fdc9bc
SHA1:	517d09c1d755f08f3c5bf073d87185a801b68907
SHA256:	df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Snort IDS alert for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ship Docs YINGHAI-MANE PO 240786.xlsx.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

Ship Docs YINGHAI-MANE PO 240786.xlsx.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

adobe.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

adobe.exe (PID: 6332 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

adobe.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

adobe.exe (PID: 6672 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 9AD1097EF6D23A86D4B9327E54FDC9BC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6892	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 6332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 6332	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 6672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 6672	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f592:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f604:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f68e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f720:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f78a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7fc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f892:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f922:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8dd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf89:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5db:$s5: remove_Key 0x6d7a1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e660:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f574:$s7: logins 0x6fae6:$s7: logins 0x727c9:$s7: logins 0x728a9:$s7: logins 0x741fa:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe", CommandLine: "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe", CommandLine|base64offset|contains: ,, Image: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, NewProcessName: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe", ProcessId: 6892, ProcessName: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, ProcessId: 6968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Snort Signatures

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:09.894395
SID:	2855542
Source Port:	49733
Destination Port:	63293
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:22.633258
SID:	2029927
Source Port:	49735
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:23.375348
SID:	2851779
Source Port:	49738
Destination Port:	63241
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:30.506071
SID:	2029927
Source Port:	49744
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:46:44.543119
SID:	2851779
Source Port:	49747
Destination Port:	63852
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:31.250198
SID:	2851779
Source Port:	49745
Destination Port:	65089
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:09.894395
SID:	2851779
Source Port:	49733
Destination Port:	63293
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:31.250198
SID:	2855542
Source Port:	49745
Destination Port:	65089
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:09.156084
SID:	2029927
Source Port:	49732
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	06/10/24-02:45:23.375348
SID:	2855542
Source Port:	49738
Destination Port:	63241
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Virustotal: Detection: 50%			Perma Link

Multi AV Scanner detection for submitted file

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	ReversingLabs: Detection: 42%
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49732 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 213.189.52.181:63293
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 213.189.52.181:63293
Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49735 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49738 -> 213.189.52.181:63241
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49738 -> 213.189.52.181:63241
Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49744 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49745 -> 213.189.52.181:65089
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49745 -> 213.189.52.181:65089
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49747 -> 213.189.52.181:63852

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 63241,65089,63852,1,2,21,63293

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 213.189.52.181:63293

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.4:49732 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: adobe.exe, 00000003.00000002.1977572355.000000000697B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 0_2_052D0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	0_2_052D0054
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 0_2_052D0000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	0_2_052D0000
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 2_2_01160054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	2_2_01160054
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 2_2_01160000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	2_2_01160000
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02410054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	7_2_02410054
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02410000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,	7_2_02410000

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_02B04A90	1_2_02B04A90
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_02B03E78	1_2_02B03E78
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_02B041C0	1_2_02B041C0
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C1BC4	1_2_066C1BC4
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C28A8	1_2_066C28A8
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C289B	1_2_066C289B
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C359A	1_2_066C359A
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C1BB8	1_2_066C1BB8
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06723018	1_2_06723018
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_0672C0F8	1_2_0672C0F8
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06726160	1_2_06726160
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06725150	1_2_06725150
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_0672AD90	1_2_0672AD90
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_067278F8	1_2_067278F8
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06727218	1_2_06727218
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06722340	1_2_06722340
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_0672E328	1_2_0672E328
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06720040	1_2_06720040
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_06720007	1_2_06720007
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_0672584F	1_2_0672584F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_0194E8A8	3_2_0194E8A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_0194B805	3_2_0194B805
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01944A90	3_2_01944A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01943E78	3_2_01943E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_019441C0	3_2_019441C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D22750	3_2_06D22750
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D27CF8	3_2_06D27CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D25550	3_2_06D25550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D26560	3_2_06D26560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D2C0F8	3_2_06D2C0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D2B1A8	3_2_06D2B1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D27618	3_2_06D27618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D25C60	3_2_06D25C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D2E5E8	3_2_06D2E5E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D20040	3_2_06D20040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D2003F	3_2_06D2003F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0108A5D0	8_2_0108A5D0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01084A90	8_2_01084A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0108ADA8	8_2_0108ADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01083E78	8_2_01083E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_010841C0	8_2_010841C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01080D58	8_2_01080D58
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D2750	8_2_067D2750
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D7CF8	8_2_067D7CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D6560	8_2_067D6560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D5550	8_2_067D5550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067DC0F8	8_2_067DC0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067DB1A8	8_2_067DB1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D7618	8_2_067D7618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D5C60	8_2_067D5C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067DE328	8_2_067DE328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D0040	8_2_067D0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_067D0038	8_2_067D0038

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751062194.000000000109E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000000.1748374852.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuvDIpSw.exeH vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4195698044.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Binary or memory string: OriginalFilenameuvDIpSw.exeH vs Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: adobe.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, eIwn.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/4@2/2

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	ReversingLabs: Detection: 42%
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File read: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process created: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process created: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_02B00C6D push edi; retf	1_2_02B00C7A
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C9F31 pushfd ; iretd	1_2_066C9F32
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066CBAB0 push es; ret	1_2_066CBAC0
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Code function: 1_2_066C7952 push es; ret	1_2_066C7960
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01947D81 pushfd ; iretd	3_2_01947D82
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01940C6D push edi; retf	3_2_01940C7A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_06D2E312 push ss; retf	3_2_06D2E31A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01080C6D push edi; retf	8_2_01080C7A

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.exe

Static PE information: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 4D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory allocated: 4B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598857	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599881	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Window / User API: threadDelayed 2376	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Window / User API: threadDelayed 7457	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 6467	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 1692	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 8151	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 2736	Thread sleep count: 2376 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 2736	Thread sleep count: 7457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe TID: 5676	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7116	Thread sleep count: 3382 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599881s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599763s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599652s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7116	Thread sleep count: 6467 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598561s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596560s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595260s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2212	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1612	Thread sleep count: 1692 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1612	Thread sleep count: 8151 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 4484	Thread sleep time: -594484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598857	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599881	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599763	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596560	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: adobe.exe, 00000008.00000002.4195648887.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4196124419.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1970539186.0000000001375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Code function: 0_2_052D0054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_052D0054

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Memory written: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Process created: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe "C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq3<b>[ Program Manager]</b> (10/06/2024 12:55:51)<br>
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 07/03/2024 16:38:04<br>User Name: user<br>Computer Name: 818225<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 173.254.250.91<br><hr><b>[ Program Manager]</b> (10/06/2024 12:55:51)<br>{Win}r</html>
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq8<b>[ Program Manager]</b> (10/06/2024 12:55:51)<br>{Win}THpq$
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRkqL
Source: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq9<b>[ Program Manager]</b> (10/06/2024 12:55:51)<br>{Win}rTHpq$

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6672, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6672, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e4a770.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.52e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.3e0f140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 6672, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	212 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	11 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	50%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	50%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	1%	Virustotal		Browse
s4.serv00.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://s4.serv00.com	0%	Virustotal		Browse
https://api.ipify.org	1%	Virustotal		Browse
https://api.ipify.org/	1%	Virustotal		Browse
https://api.ipify.org/t	0%	Virustotal		Browse
https://api.ipify.org/t	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	Avira URL Cloud	safe
https://api.ipify.org	0%	Avira URL Cloud	safe
http://s4.serv00.com	0%	Avira URL Cloud	safe
http://crl.m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	1%, Virustotal, Browse	unknown
s4.serv00.com	213.189.52.181	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.m	adobe.exe, 00000003.00000002.1977572355.000000000697B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org/t	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.0000000003291000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002B4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s4.serv00.com	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe, 00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454351
Start date and time:	2024-06-10 02:44:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 207 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:45:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
01:45:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
20:45:05	API Interceptor	10108119x Sleep call for process: Ship Docs YINGHAI-MANE PO 240786.xlsx.exe modified
20:45:18	API Interceptor	8810741x Sleep call for process: adobe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	ShaderifyBeta 1.4.0.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	ShaderifyBeta 1.4.0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	ShaderifyBeta 1.4.0.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	ShaderifyBeta 1.4.0.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	TS-240609-CStealer1.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205
	https://ace-aviation.co.nz/help/contact/381354399391092	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.29520.6445.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	DHL.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	MB263350411AE.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL Package.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECO-ATMAN-PLECO-ATMAN-PL	BOQ_Algeemi_SharePoint_Tender.xlsx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse	31.186.83.254
	Invoice_23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	WEB-SAT_base.apk	Get hash	malicious	Unknown	Browse	77.79.227.218
	WEB-SAT_base.apk	Get hash	malicious	Unknown	Browse	77.79.227.218
	Invoice 23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	Invoice 23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	Invoice 23457538_PDF.vbs	Get hash	malicious	AsyncRAT, XWorm	Browse	31.186.83.248
	14-11-2023(1).exe	Get hash	malicious	AgentTesla	Browse	128.204.218.69
	R7275-12112023.exe	Get hash	malicious	AgentTesla	Browse	128.204.218.69
CLOUDFLARENETUS	Image is copyrighted.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.96.3
	FYKNehdnEA.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	gCQQWnI6Y4.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://takipcifox.com/	Get hash	malicious	HTMLPhisher	Browse	104.21.57.95
	https://steam.communityfileshareds.com/sharedfiles/tropic_White_Chip	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://me-airbnb.com/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://whatsapp.styyyuxp.shop/	Get hash	malicious	Unknown	Browse	104.16.40.28
	https://pub-7d92cd0bfba4484281fe4ef7b7323120.r2.dev/Linked.html	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://ggzklqy22.njkirkorpwko86.dns-dynamic.net/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.telegramkd.com/	Get hash	malicious	Unknown	Browse	104.21.18.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://www.bassatis.e-skafos.gr/subscription/login	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://whatsapp.styyyuxp.shop/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://ggzklqy22.njkirkorpwko86.dns-dynamic.net/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://monumental-crostata-62tre3.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://telegracm.org/a	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://bet9933.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://gekas1-sg1asd-48fa40-tr1jha.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://cepte-klima.xyz/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://remove-page-violation-submit.netlify.app/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://erac1-v123fas-525ytr-mv1ax.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Download File

Process:	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	399360
Entropy (8bit):	6.37865939346686
Encrypted:	false
SSDEEP:	6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T
MD5:	9AD1097EF6D23A86D4B9327E54FDC9BC
SHA1:	517D09C1D755F08F3C5BF073D87185A801B68907
SHA-256:	DF9E1F7FA8D1BADAA7AFD42CC3AAC4EF5AAD3A9973EE71059599325284566E67
SHA-512:	1EA9293A6931E191B1C63537FC5EA003E8AE98D53242A711769052BF9BA1976DEF2BB5F7894F85A0DA087C0A4354A68474268DA77D8438CFBB0A04299DF7C955
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42% Antivirus: Virustotal, Detection: 50%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%ff.....................Z........... ........@.. .......................`............@.....................................O........W...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....W.......X..................@..@.reloc.......@......................@..B........................H............T...........................................................0..........(....s......r...p(....o......r#..p(....o........i .....@(........i .....@(...........i(..........i(....(....o....(.............(....&..(......(....2~.....o....VrK..p(....s.........:.(......}.....0..`........o.....0.s....z.(......{....(....ri..po....o.....{....(....ri..po....o.....{....o........io......{...."..}......{...."..}....V.(......(......(....>..(......(......{...."..}....

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.37865939346686
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
File size:	399'360 bytes
MD5:	9ad1097ef6d23a86d4b9327e54fdc9bc
SHA1:	517d09c1d755f08f3c5bf073d87185a801b68907
SHA256:	df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
SHA512:	1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955
SSDEEP:	6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T
TLSH:	EC849B077A68C653F199F7BA6862D40C0BF96C5A1912CEDFAD8C7CC804B5BE44452F63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%ff.....................Z........... ........@.. .......................`............@................................

File Icon


Icon Hash:	31d89a929298d027

Static PE Info

General

Entrypoint:	0x45daee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66662585 [Sun Jun 9 21:58:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5da9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x57fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5baf4	0x5bc00	3baecde0ea57098db1f57d68e7d44116	False	0.7095431709809265	data	6.262431815006639	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x57fc	0x5800	afd927d7ef1fa8e49cdaf718940ab222	False	0.30961470170454547	data	5.299107668039321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	6cdba09c6804cc529fd720cb37e0993a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5e1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.4920212765957447
RT_ICON	0x5e658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.32704918032786884
RT_ICON	0x5efe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.2303001876172608
RT_ICON	0x60088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.15995850622406638
RT_ICON	0x62630	0xc1d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8742341180264431
RT_GROUP_ICON	0x63250	0x4c	data	0.75
RT_VERSION	0x6329c	0x374	data	0.4117647058823529
RT_MANIFEST	0x63610	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/10/24-02:45:09.894395	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49733	63293	192.168.2.4	213.189.52.181
06/10/24-02:45:22.633258	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49735	21	192.168.2.4	213.189.52.181
06/10/24-02:45:23.375348	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49738	63241	192.168.2.4	213.189.52.181
06/10/24-02:45:30.506071	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49744	21	192.168.2.4	213.189.52.181
06/10/24-02:46:44.543119	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49747	63852	192.168.2.4	213.189.52.181
06/10/24-02:45:31.250198	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49745	65089	192.168.2.4	213.189.52.181
06/10/24-02:45:09.894395	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49733	63293	192.168.2.4	213.189.52.181
06/10/24-02:45:31.250198	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49745	65089	192.168.2.4	213.189.52.181
06/10/24-02:45:09.156084	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49732	21	192.168.2.4	213.189.52.181
06/10/24-02:45:23.375348	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49738	63241	192.168.2.4	213.189.52.181

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2024 02:45:04.967667103 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:04.967704058 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:04.967787027 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:04.973115921 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:04.973129034 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.595381021 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.595516920 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:05.598488092 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:05.598496914 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.598901033 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.646042109 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:05.652002096 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:05.696537971 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.826961040 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.827104092 CEST	443	49731	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:05.827178955 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:05.829041958 CEST	49731	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:06.832494020 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:06.837563038 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:06.837714911 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:07.573301077 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:07.573487043 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:07.578474998 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:07.828468084 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:07.828907013 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:07.834161997 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.126197100 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.126594067 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:08.131562948 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.381879091 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.382056952 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:08.387079000 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.636934996 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.637213945 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:08.644274950 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.894148111 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:08.894428015 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:08.899974108 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.150008917 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.150593042 CEST	49733	63293	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.155677080 CEST	63293	49733	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.155833960 CEST	49733	63293	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.156084061 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.161005020 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.894026041 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.894395113 CEST	49733	63293	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.894395113 CEST	49733	63293	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.899705887 CEST	63293	49733	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.900134087 CEST	63293	49733	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:09.900190115 CEST	49733	63293	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:09.943182945 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:10.150810003 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:10.207027912 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:18.915874004 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:18.915911913 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:18.915981054 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:18.919687033 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:18.919703960 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.530020952 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.530256033 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:19.531410933 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:19.531440973 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.531961918 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.583620071 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:19.587459087 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:19.632508039 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.758974075 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.759116888 CEST	443	49734	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:19.759171009 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:19.764759064 CEST	49734	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:20.280445099 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:20.285774946 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:20.285855055 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:21.028750896 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.028922081 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:21.033843994 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.285542011 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.285667896 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:21.290843964 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.584898949 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.585084915 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:21.590030909 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.841763020 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:21.841897011 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:21.846820116 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.098315001 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.098434925 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:22.104554892 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.370929956 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.371058941 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:22.375984907 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.627655029 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.628190994 CEST	49738	63241	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:22.633132935 CEST	63241	49738	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:22.633212090 CEST	49738	63241	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:22.633258104 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:22.638418913 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:23.375144958 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:23.375348091 CEST	49738	63241	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:23.375427961 CEST	49738	63241	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:23.382065058 CEST	63241	49738	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:23.382422924 CEST	63241	49738	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:23.382477045 CEST	49738	63241	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:23.427233934 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:23.634179115 CEST	21	49735	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:23.677243948 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:26.916609049 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:26.916632891 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:26.916702032 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:26.919923067 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:26.919933081 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.530625105 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.530733109 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:27.534660101 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:27.534667015 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.534984112 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.577254057 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:27.593044043 CEST	49735	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:27.624494076 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.759439945 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.759596109 CEST	443	49743	172.67.74.152	192.168.2.4
Jun 10, 2024 02:45:27.759823084 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:27.761625051 CEST	49743	443	192.168.2.4	172.67.74.152
Jun 10, 2024 02:45:28.158037901 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:28.163242102 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:28.163333893 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:28.905561924 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:28.905752897 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:28.910743952 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.162507057 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.162797928 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:29.167906046 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.467304945 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.467585087 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:29.472771883 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.724272966 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.728061914 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:29.733393908 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.984989882 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:29.985388041 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:29.991781950 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:30.242754936 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:30.243065119 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:30.248127937 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:30.500247955 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:30.500725031 CEST	49745	65089	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:30.505834103 CEST	65089	49745	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:30.505978107 CEST	49745	65089	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:30.506071091 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:30.511234999 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:31.249989033 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:31.250197887 CEST	49745	65089	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:31.250238895 CEST	49745	65089	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:31.255146980 CEST	65089	49745	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:31.255580902 CEST	65089	49745	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:31.255634069 CEST	49745	65089	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:31.302367926 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:45:31.508450985 CEST	21	49744	213.189.52.181	192.168.2.4
Jun 10, 2024 02:45:31.552253962 CEST	49744	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:43.531194925 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:43.536309004 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:43.787116051 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:43.787892103 CEST	49747	63852	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:43.792962074 CEST	63852	49747	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:43.793044090 CEST	49747	63852	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:43.793097019 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:43.797955990 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:44.542843103 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:44.543118954 CEST	49747	63852	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:44.543118954 CEST	49747	63852	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:44.548078060 CEST	63852	49747	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:44.548762083 CEST	63852	49747	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:44.548823118 CEST	49747	63852	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:44.583471060 CEST	49732	21	192.168.2.4	213.189.52.181
Jun 10, 2024 02:46:44.802555084 CEST	21	49732	213.189.52.181	192.168.2.4
Jun 10, 2024 02:46:44.849103928 CEST	49732	21	192.168.2.4	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2024 02:45:04.954792023 CEST	50211	53	192.168.2.4	1.1.1.1
Jun 10, 2024 02:45:04.961674929 CEST	53	50211	1.1.1.1	192.168.2.4
Jun 10, 2024 02:45:06.822475910 CEST	58933	53	192.168.2.4	1.1.1.1
Jun 10, 2024 02:45:06.831597090 CEST	53	58933	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 10, 2024 02:45:04.954792023 CEST	192.168.2.4	1.1.1.1	0xfff4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jun 10, 2024 02:45:06.822475910 CEST	192.168.2.4	1.1.1.1	0xe43a	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 10, 2024 02:45:04.961674929 CEST	1.1.1.1	192.168.2.4	0xfff4	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jun 10, 2024 02:45:04.961674929 CEST	1.1.1.1	192.168.2.4	0xfff4	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jun 10, 2024 02:45:04.961674929 CEST	1.1.1.1	192.168.2.4	0xfff4	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jun 10, 2024 02:45:06.831597090 CEST	1.1.1.1	192.168.2.4	0xe43a	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.74.152	443	6968	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-10 00:45:05 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-06-10 00:45:05 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 10 Jun 2024 00:45:05 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8915562ebd024647-DFW
2024-06-10 00:45:05 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 Data Ascii: 173.254.250.91

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	172.67.74.152	443	6332	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-10 00:45:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-06-10 00:45:19 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 10 Jun 2024 00:45:19 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89155685dbed72f3-DFW
2024-06-10 00:45:19 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 Data Ascii: 173.254.250.91

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	172.67.74.152	443	6672	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-10 00:45:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-06-10 00:45:27 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 10 Jun 2024 00:45:27 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 891556b7c9cf2e73-DFW
2024-06-10 00:45:27 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 Data Ascii: 173.254.250.91

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 10, 2024 02:45:07.573301077 CEST	21	49732	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jun 10, 2024 02:45:07.573487043 CEST	49732	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jun 10, 2024 02:45:07.828468084 CEST	21	49732	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jun 10, 2024 02:45:07.828907013 CEST	49732	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jun 10, 2024 02:45:08.126197100 CEST	21	49732	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jun 10, 2024 02:45:08.381879091 CEST	21	49732	213.189.52.181	192.168.2.4	504 Unknown command
Jun 10, 2024 02:45:08.382056952 CEST	49732	21	192.168.2.4	213.189.52.181	PWD
Jun 10, 2024 02:45:08.636934996 CEST	21	49732	213.189.52.181	192.168.2.4	257 "/" is your current location
Jun 10, 2024 02:45:08.637213945 CEST	49732	21	192.168.2.4	213.189.52.181	TYPE I
Jun 10, 2024 02:45:08.894148111 CEST	21	49732	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jun 10, 2024 02:45:08.894428015 CEST	49732	21	192.168.2.4	213.189.52.181	PASV
Jun 10, 2024 02:45:09.150008917 CEST	21	49732	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,247,61)
Jun 10, 2024 02:45:09.156084061 CEST	49732	21	192.168.2.4	213.189.52.181	STOR PW_user-818225_2024_06_09_20_45_05.html
Jun 10, 2024 02:45:09.894026041 CEST	21	49732	213.189.52.181	192.168.2.4	150 Accepted data connection
Jun 10, 2024 02:45:10.150810003 CEST	21	49732	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.258 seconds (measured here), 1.32 Kbytes per second
Jun 10, 2024 02:45:21.028750896 CEST	21	49735	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jun 10, 2024 02:45:21.028922081 CEST	49735	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jun 10, 2024 02:45:21.285542011 CEST	21	49735	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jun 10, 2024 02:45:21.285667896 CEST	49735	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jun 10, 2024 02:45:21.584898949 CEST	21	49735	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jun 10, 2024 02:45:21.841763020 CEST	21	49735	213.189.52.181	192.168.2.4	504 Unknown command
Jun 10, 2024 02:45:21.841897011 CEST	49735	21	192.168.2.4	213.189.52.181	PWD
Jun 10, 2024 02:45:22.098315001 CEST	21	49735	213.189.52.181	192.168.2.4	257 "/" is your current location
Jun 10, 2024 02:45:22.098434925 CEST	49735	21	192.168.2.4	213.189.52.181	TYPE I
Jun 10, 2024 02:45:22.370929956 CEST	21	49735	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jun 10, 2024 02:45:22.371058941 CEST	49735	21	192.168.2.4	213.189.52.181	PASV
Jun 10, 2024 02:45:22.627655029 CEST	21	49735	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,247,9)
Jun 10, 2024 02:45:22.633258104 CEST	49735	21	192.168.2.4	213.189.52.181	STOR PW_user-818225_2024_06_09_20_45_18.html
Jun 10, 2024 02:45:23.375144958 CEST	21	49735	213.189.52.181	192.168.2.4	150 Accepted data connection
Jun 10, 2024 02:45:23.634179115 CEST	21	49735	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.259 seconds (measured here), 1.32 Kbytes per second
Jun 10, 2024 02:45:28.905561924 CEST	21	49744	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 02:45. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jun 10, 2024 02:45:28.905752897 CEST	49744	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jun 10, 2024 02:45:29.162507057 CEST	21	49744	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jun 10, 2024 02:45:29.162797928 CEST	49744	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jun 10, 2024 02:45:29.467304945 CEST	21	49744	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jun 10, 2024 02:45:29.724272966 CEST	21	49744	213.189.52.181	192.168.2.4	504 Unknown command
Jun 10, 2024 02:45:29.728061914 CEST	49744	21	192.168.2.4	213.189.52.181	PWD
Jun 10, 2024 02:45:29.984989882 CEST	21	49744	213.189.52.181	192.168.2.4	257 "/" is your current location
Jun 10, 2024 02:45:29.985388041 CEST	49744	21	192.168.2.4	213.189.52.181	TYPE I
Jun 10, 2024 02:45:30.242754936 CEST	21	49744	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jun 10, 2024 02:45:30.243065119 CEST	49744	21	192.168.2.4	213.189.52.181	PASV
Jun 10, 2024 02:45:30.500247955 CEST	21	49744	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,254,65)
Jun 10, 2024 02:45:30.506071091 CEST	49744	21	192.168.2.4	213.189.52.181	STOR PW_user-818225_2024_06_09_20_45_26.html
Jun 10, 2024 02:45:31.249989033 CEST	21	49744	213.189.52.181	192.168.2.4	150 Accepted data connection
Jun 10, 2024 02:45:31.508450985 CEST	21	49744	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.258 seconds (measured here), 1.32 Kbytes per second
Jun 10, 2024 02:46:43.531194925 CEST	49732	21	192.168.2.4	213.189.52.181	PASV
Jun 10, 2024 02:46:43.787116051 CEST	21	49732	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,249,108)
Jun 10, 2024 02:46:43.793097019 CEST	49732	21	192.168.2.4	213.189.52.181	STOR KL_user-818225_2024_07_03_16_38_04.html
Jun 10, 2024 02:46:44.542843103 CEST	21	49732	213.189.52.181	192.168.2.4	150 Accepted data connection
Jun 10, 2024 02:46:44.802555084 CEST	21	49732	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.260 seconds (measured here), 1.07 Kbytes per second

Target ID:	0
Start time:	20:45:03
Start date:	09/06/2024
Path:	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"
Imagebase:	0xa40000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1752622729.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1751703167.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:45:03
Start date:	09/06/2024
Path:	C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe"
Imagebase:	0x810000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4198295133.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4198295133.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:45:16
Start date:	09/06/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x7e0000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs Detection: 50%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:45:17
Start date:	09/06/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xcd0000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1973196935.000000000330C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1970186494.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1973196935.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:45:25
Start date:	09/06/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x1f0000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:45:25
Start date:	09/06/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x780000
File size:	399'360 bytes
MD5 hash:	9AD1097EF6D23A86D4B9327E54FDC9BC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4198576799.0000000002BBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4198576799.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	60.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	64.9%
Total number of Nodes:	97
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 052D0000 Relevance: 13.9, APIs: 9, Instructions: 353
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 052D0054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 052D0167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 052D0192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 052D01C9
WriteProcessMemory.KERNELBASE ref: 052D0217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 052D02FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 052D0355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 052D03A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 052D03EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 052D040C

Memory Dump Source

Source File: 00000000.00000002.1752576338.00000000052D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
String ID:
API String ID: 2814188497-0
Opcode ID: 37430e902d01128bcddca1ad93b7e833f04db2506693cda9d34fb03a2d514acd
Instruction ID: af35bcd3ee1249e2961828f0629a6e7d7107671e978c5cdf56ca85daeafebc8f
Opcode Fuzzy Hash: 37430e902d01128bcddca1ad93b7e833f04db2506693cda9d34fb03a2d514acd
Instruction Fuzzy Hash: AAC1EC757A0244BFE6157BF1DC4EF39B7259F46B08F1480A9E2006F1F1E9E26C118672

Function 052D0054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 052D0420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,052D0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 052D043F

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 052D0167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 052D0192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 052D01C9
WriteProcessMemory.KERNELBASE ref: 052D0217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 052D02FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 052D0355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 052D03A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 052D03EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 052D040C

Memory Dump Source

Source File: 00000000.00000002.1752576338.00000000052D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
String ID:
API String ID: 4009322845-0
Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction ID: 52f3bc34f34e6695728a1d405c5403bb40e21cbe334ceb90cd644a77ed5cfbc4
Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction Fuzzy Hash: 12A1C6747A0204BFE6157BF1DC4EF39B615AF85B08F208168E2047F1F1E9E26D219672

Function 01470AC9 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 01470B3B

Memory Dump Source

Source File: 00000000.00000002.1751516048.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0c80ebacbbd5e82e201c621167def390f1f8641083707813469ff1f068b6dfa8
Instruction ID: 483ace49e8ef23b37f220fa90d5bba2e982b45872e247194e345092c09852ff5
Opcode Fuzzy Hash: 0c80ebacbbd5e82e201c621167def390f1f8641083707813469ff1f068b6dfa8
Instruction Fuzzy Hash: 381146B5800248DFCB10CF9AD885BDEBFF4FB49310F24845AE558A7260C375A544CFA1

Function 014704C0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 01470B3B

Memory Dump Source

Source File: 00000000.00000002.1751516048.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 313a4cb84d4ef90412a197e6d8fc4e1c8004de3561f0892f09b66558720e504a
Instruction ID: e38568d630c2257d2c4554b2b9ddff8b624cefe8d9666271de2ca7f221dd765b
Opcode Fuzzy Hash: 313a4cb84d4ef90412a197e6d8fc4e1c8004de3561f0892f09b66558720e504a
Instruction Fuzzy Hash: 511116B5900649DFCB10DF9AD844BDEBFF4FB49324F20842AE519A7220C375A944CFA4

Function 014703D0 Relevance: 1.4, APIs: 1, Instructions: 123
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,0147090A,00000040,00001000), ref: 01470A90

Memory Dump Source

Source File: 00000000.00000002.1751516048.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e8ec801e71f3f009fcd3fee7a7d1c3d79cc9fc340115e662758805822411e25c
Instruction ID: e7f1f2b65e0448da6035fc148db232617613dbe24f09c961ed30836c379d8488
Opcode Fuzzy Hash: e8ec801e71f3f009fcd3fee7a7d1c3d79cc9fc340115e662758805822411e25c
Instruction Fuzzy Hash: D2319E719093888FCB12DFA9C8547CABFF4EF4A310F14809BD094EB262D3349444CBA5

Function 01470971 Relevance: 1.4, APIs: 1, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,0147090A,00000040,00001000), ref: 01470A90

Memory Dump Source

Source File: 00000000.00000002.1751516048.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99ad6d7ab0afbdf47b0db573466535bd0efaac4d34be3856caf41e5ecca5109b
Instruction ID: fd31f662d751b94fd2a30576fffdb2c6604e12ae66303a1adc9b9327a73716a7
Opcode Fuzzy Hash: 99ad6d7ab0afbdf47b0db573466535bd0efaac4d34be3856caf41e5ecca5109b
Instruction Fuzzy Hash: 2F418D75A042448FC711DF69D884A9EBFF1FF89310F25849AE449EB362C734AC05CB91

Function 014704B4 Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,0147090A,00000040,00001000), ref: 01470A90

Memory Dump Source

Source File: 00000000.00000002.1751516048.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1470000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e29e3dd920de68ae8e7aec125d27dbfb95a7ee932b5bca4a0786600ea32e5e64
Instruction ID: e6007bed90d851ca4bc9a385f4549bb22943d9563f139d98a9e6435b26ded806
Opcode Fuzzy Hash: e29e3dd920de68ae8e7aec125d27dbfb95a7ee932b5bca4a0786600ea32e5e64
Instruction Fuzzy Hash: 5A1125B5900649DFCB20DF9AC444BDEBFF4FB49320F20842AE558A7250D375A944CFA4

Function 052D0420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,052D0083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 052D043F

Memory Dump Source

Source File: 00000000.00000002.1752576338.00000000052D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52d0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction ID: 492b71776c9af27fdf74f9f720d92d04bc82dfc1b448b02b6ec4b27f4196ac12
Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction Fuzzy Hash: B9D0A9702A43006AE2017FA14C0AF2CA680AF40B09F400814F304380F0E5EA9C180267

Analysis Process: Ship Docs YINGHAI-MANE PO 240786.xlsx.exePID: 6968, Parent PID: 6892COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	191
Total number of Limit Nodes:	17

Executed Functions

Function 06723018 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06723770
$kq, xrefs: 06723717
$kq, xrefs: 06723723
$kq, xrefs: 06723764
$kq, xrefs: 0672374C
$kq, xrefs: 06723740

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 0c6cc37c8937df08646ced1316e2236ac45f6c1ba0acdd3f1d033471d8da8503
Instruction ID: 59dc2902d03bcab09d38492845dd57fed7343a20aa6716ce2eb6e4880a8432ec
Opcode Fuzzy Hash: 0c6cc37c8937df08646ced1316e2236ac45f6c1ba0acdd3f1d033471d8da8503
Instruction Fuzzy Hash: D3323F34E1061ACFCB14EF74D99459DB7B2FF89310F60C69AD409AB264EB34A985CF90

Function 067278F8 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06727C41
$kq, xrefs: 06727C35

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 417a91ce45de3ee6e1846f1d596fc1f69bf72f9b5bbe36a04c5e5b7cdd71e3fa
Instruction ID: c6951621af7abe7c1ba06286a8b5ec49c72fddcfc6348ae5a1c476ab58dfacbe
Opcode Fuzzy Hash: 417a91ce45de3ee6e1846f1d596fc1f69bf72f9b5bbe36a04c5e5b7cdd71e3fa
Instruction Fuzzy Hash: 75029030B002268FDB58DF69D6906AEB7F6EF84304F248529D405DB399DB35ED86CB90

Function 06722340 Relevance: 1.0, Instructions: 1011COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0407fb1a4a599206fef7085d964b695d241039ea8d9d69e233a25ce50b3644a
Instruction ID: 4ac9366b9bff63cedd921c85f8ea2a93f03bf47f4c70b3656a96d2fb8af199f0
Opcode Fuzzy Hash: f0407fb1a4a599206fef7085d964b695d241039ea8d9d69e233a25ce50b3644a
Instruction Fuzzy Hash: 6A926730A002168FCB64DF68C584A6DB7F2FF45314F5485A9E819AB366DB35EE85CF80

Function 06726160 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff43f0b4624d17e39e3fcc4ac020b2a60e9c25eb6bf324d47223b7dac08c7b8
Instruction ID: 51dddfa042f694f089dd2260be3e5c4ae220a5a964274931b46b4e3a1205f6bb
Opcode Fuzzy Hash: 7ff43f0b4624d17e39e3fcc4ac020b2a60e9c25eb6bf324d47223b7dac08c7b8
Instruction Fuzzy Hash: 1A62C134F002268FDB54DB68D694AADB7F2EF84314F24846AE805DB395DB35ED85CB80

Function 0672C0F8 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f927dab92950085d1a8d56c3ff297963fd0c903d8063102c737e5ec0c4b91ee7
Instruction ID: b4921f8d7ca24cf5d9601dc8ad76df329533e21b2b5bdd07b2f2e4f22ac4e013
Opcode Fuzzy Hash: f927dab92950085d1a8d56c3ff297963fd0c903d8063102c737e5ec0c4b91ee7
Instruction Fuzzy Hash: 8C329230B102168FDBA5DF68DA80BAEB7B2FB88314F108525E505E7359DB35DD42CB91

Function 06725150 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46c2dc57777cd3874e026214acac40ff7d7c54140c2088673ace2fe21c70b70
Instruction ID: 65413bbd8d2f43782a6b9e9a2733e68fde57cf044f4fd23c64a2ec74c63ce692
Opcode Fuzzy Hash: f46c2dc57777cd3874e026214acac40ff7d7c54140c2088673ace2fe21c70b70
Instruction Fuzzy Hash: 3B12CF71F002269FEB64DF64D98067EBBB6EF85310F248429E906DB395DA34EC45CB90

Function 0672AD90 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a22e048ceb27617ee377963a1b6fb4c978d4748d2be41bd1c3f46feb39d75e
Instruction ID: ba3ca4ed36ecf1c8162de9e658de23a70f852e9a07543b4552c120215ff562ec
Opcode Fuzzy Hash: 89a22e048ceb27617ee377963a1b6fb4c978d4748d2be41bd1c3f46feb39d75e
Instruction Fuzzy Hash: 7722A230E0021A8FDF64DB68C9807BEB7B6FB45714F208826E419EB395DA35DC85CB91

Function 02B04A90 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80aaee1559ee118eec83e8c504ca2b108bfba2be31ef7497aa294d3bac31a4a
Instruction ID: 80e90d5b092be6c5a6411159ffcab7c9c83b2477fc8a5640f71987af4ff96e86
Opcode Fuzzy Hash: d80aaee1559ee118eec83e8c504ca2b108bfba2be31ef7497aa294d3bac31a4a
Instruction Fuzzy Hash: 51B15CB0E00209CFDB11DFA9D9C179DBFF2EF88314F148569D915A72A4EB749885CB81

Function 066C1BC4 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f318ea36d3b1ab154588c305afb942e08207a0394db239d73e46273bfb3c0a
Instruction ID: e9f8cc2ed8d2b738fcff004ca16676815fe5e18756632e3ac0b300b0429352e9
Opcode Fuzzy Hash: 81f318ea36d3b1ab154588c305afb942e08207a0394db239d73e46273bfb3c0a
Instruction Fuzzy Hash: 9CA19034E007099FCB44DFA4D9949EDFBBAFF89310F158219E415AB3A4EB30A945CB90

Function 02B03E78 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804555e08b06daca0a4c621c54a3ca9b0173f948796680ad08f170f6f3ef266b
Instruction ID: 30977d4dbbe25aa2eea0de2ecbdc259d15a7202dc32b00d408f9bdb2f361663b
Opcode Fuzzy Hash: 804555e08b06daca0a4c621c54a3ca9b0173f948796680ad08f170f6f3ef266b
Instruction Fuzzy Hash: 61914D70E00209DFDB11DFA9C98579DBFF2EF88314F148569E415A72A4EB749885CB81

Function 066C1BB8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2bf2e97ebb56d22634ee15df83adb24d0e53dc9b8f3d08549e5125c957f364
Instruction ID: 4a9a8338186f6524a30f6f2602b7426dd0ee7832183821da51eb09be785fad2c
Opcode Fuzzy Hash: 2d2bf2e97ebb56d22634ee15df83adb24d0e53dc9b8f3d08549e5125c957f364
Instruction Fuzzy Hash: CF918035E0071A9FCB44DFA4D9848EDFBBAFF89310F158219E515AB3A4EB30A945CB50

Function 066C359A Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce0cb0295f8aea64585f45ce4f440b3871bd922b117d283e2a43ba85af8a413
Instruction ID: 6918db1c509ee8ed172e1329ecabef59158e4966d3712246679d6aa77bf4fae6
Opcode Fuzzy Hash: 0ce0cb0295f8aea64585f45ce4f440b3871bd922b117d283e2a43ba85af8a413
Instruction Fuzzy Hash: D7918035E0070A9FCB44DFA1D9848EDFBBAFF89310F158219E515AB3A4EB30A945CB50

Function 0672A838 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0672A9B8
$kq, xrefs: 0672AA04
$kq, xrefs: 0672A965
$kq, xrefs: 0672A9E7
$kq, xrefs: 0672A9DB
$kq, xrefs: 0672AA10
$kq, xrefs: 0672A9AC
$kq, xrefs: 0672A959

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 3d66cedaa1304cf95de16dbd5a4502dada567d74312f167a6fd8a63e55d90bee
Instruction ID: 113077723a9efc878deacf94cb68d2fc2e4351b8da752e0582ba1a753722b584
Opcode Fuzzy Hash: 3d66cedaa1304cf95de16dbd5a4502dada567d74312f167a6fd8a63e55d90bee
Instruction Fuzzy Hash: D8E18030E1025A8FCB65DF69D9806AEB7B2FF85304F208529D805EB359DB35DC86CB90

Function 066C6B19 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066C6BA6
GetCurrentThread.KERNEL32 ref: 066C6BE3
GetCurrentProcess.KERNEL32 ref: 066C6C20
GetCurrentThreadId.KERNEL32 ref: 066C6C79

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3534e6037dd21677330783067e575c93e314b2fc2922878f2128f9853c860a5a
Instruction ID: 6e6d18813b5307cc2741843a271c2c889dc7a88845731df92655ed00e2db3878
Opcode Fuzzy Hash: 3534e6037dd21677330783067e575c93e314b2fc2922878f2128f9853c860a5a
Instruction Fuzzy Hash: 8A5157B0D016498FDB54DFAAD948BEEBBF2EF48314F208059E409A7361D734A944CF69

Function 066C6B28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066C6BA6
GetCurrentThread.KERNEL32 ref: 066C6BE3
GetCurrentProcess.KERNEL32 ref: 066C6C20
GetCurrentThreadId.KERNEL32 ref: 066C6C79

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: db048a4c14dd209310ccba90ed4906e799ac416cc51edb2badfc4fc6359a6aaf
Instruction ID: 860241be0e90b3eb1341b1fecec069648030902929f32a8a166393bd62e96230
Opcode Fuzzy Hash: db048a4c14dd209310ccba90ed4906e799ac416cc51edb2badfc4fc6359a6aaf
Instruction Fuzzy Hash: A75147B0D00609CFDB94DFAAD948BAEBBF1EF48314F208459E419A7360D734A944CF69

Function 06728CC8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06728D0F
$kq, xrefs: 06728D56
$kq, xrefs: 06728D1B
$kq, xrefs: 06728D4A

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 5b3b8417f5f498ed201b665014e0ef81510300579e3b6dc791bff9aa58a1b2f3
Instruction ID: 20b8f4c7eab57839dc4cb70a3800df291d6d75ac24379a714ad1721c54cc6700
Opcode Fuzzy Hash: 5b3b8417f5f498ed201b665014e0ef81510300579e3b6dc791bff9aa58a1b2f3
Instruction Fuzzy Hash: 42914030F1021A8FDB64DF65DA507AEB3F6AB88240F508969D409EB398EA31DD45CB91

Function 0672CEC8 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0672D2C7
$kq, xrefs: 0672D2D3
$kq, xrefs: 0672D2BF

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: 3ce107ab05b3b0a98661419a02f019ea17ec7e593c07484f093d832401975a46
Instruction ID: 8f2d9577606f34e6a903dc145da950c8f554e7091e055fef16fe2ebc8ccea3ad
Opcode Fuzzy Hash: 3ce107ab05b3b0a98661419a02f019ea17ec7e593c07484f093d832401975a46
Instruction Fuzzy Hash: 29620230B002168FCB65EF68D690A5DB7B2FF85314F208A68D4099F769DB75ED85CB80

Function 06724718 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06724E25
XPpq, xrefs: 06724845
\Opq, xrefs: 067248CF

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 9c2c9c4217412b97f34d74084f98e2f8795902ed5af4121b162ac5cc6db77928
Instruction ID: ca573e43577f0577cfd9d392f43d6ebdee4d051b93f01dedc78063cf4d28fed0
Opcode Fuzzy Hash: 9c2c9c4217412b97f34d74084f98e2f8795902ed5af4121b162ac5cc6db77928
Instruction Fuzzy Hash: 62618170F002199FEB549FA9C9547AEBBF6EF88300F208429E506EB399DE754C45CB90

Function 02B086F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02B086C0

Strings

LRkq, xrefs: 02B0871C

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: FileMove
String ID: LRkq
API String ID: 3562171763-1052062081
Opcode ID: 813af7a0aa6d187f2fdd84664e2491076705c4ad4da88cf5fce996544eb30ad2
Instruction ID: d99e3e8b7fa81f9b670aadef9b06aa8cc13ec1839697030f86ffd0c91db9acf2
Opcode Fuzzy Hash: 813af7a0aa6d187f2fdd84664e2491076705c4ad4da88cf5fce996544eb30ad2
Instruction Fuzzy Hash: 0E41C170E102099FDF26CFA8D884B9EBFB2FF45310F1084A9E905EB294DB75A945CB51

Function 066C8944 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 066C89D8

Strings

U, xrefs: 066C894C

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Clipboard
String ID: U
API String ID: 220874293-3372436214
Opcode ID: daffc930bd6e48a0b4daa4b61d10ec942d4a286417299b73ed43ed18355ccb6a
Instruction ID: 4db5962c1983c34552e6c9eed983c57cc3c11e651e31625a68b29f7e94f0e366
Opcode Fuzzy Hash: daffc930bd6e48a0b4daa4b61d10ec942d4a286417299b73ed43ed18355ccb6a
Instruction Fuzzy Hash: 2931F2B0901648DFDB24CF99C984BDEBFF1EB88314F248059E408BB294DB759845CF95

Function 06728CB7 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06728D0F
$kq, xrefs: 06728D4A

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: f7c2f021419da3eb651f4fed412d4e194afb0e05e1cb770233225c56c6271cca
Instruction ID: 927cdb2e2bbe1b48346b615052af1b7023cbb63ea6760db048fde6b2f8f60e04
Opcode Fuzzy Hash: f7c2f021419da3eb651f4fed412d4e194afb0e05e1cb770233225c56c6271cca
Instruction Fuzzy Hash: 23515330F0021A8FDB64EF75DA5076EB3F6EB88640F50896AC505D7798EA31EC45CB91

Function 066C328F Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066C33AA

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff6d442b68b7b0e7b262173d16084c720571ee9c2ec457b3e1f1d279f2dbbba8
Instruction ID: 24b4dc115e3380b85ac921c4c128cd14f52f6a028b697bc3328585069cae8067
Opcode Fuzzy Hash: ff6d442b68b7b0e7b262173d16084c720571ee9c2ec457b3e1f1d279f2dbbba8
Instruction Fuzzy Hash: 2451CFB1D00349DFDB14CF9AD984ADEBBB5FF48310F24812AE818AB210D7759985CF90

Function 066C3298 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066C33AA

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f078259e9c9d4c0a740505ad99d8ed0dae388aef6b4b13285e1f972ed41c3044
Instruction ID: cbc9e7228637ff22c64fbeb4329c946523443f87233377574d3a3930596c703c
Opcode Fuzzy Hash: f078259e9c9d4c0a740505ad99d8ed0dae388aef6b4b13285e1f972ed41c3044
Instruction Fuzzy Hash: EA41BEB1D00349DFDB14CF9AC984ADEBBB5FF48310F24812AE419AB210DB759885CF90

Function 066C6ADC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066C7CC9

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 238c377029a9c41104b9d6be09ec3b1d3699a40803e484977752997a2309a533
Instruction ID: a704c46569f789c85ca55ce3aca61c84830b392e3fa099e4f09e0d8f304b78f6
Opcode Fuzzy Hash: 238c377029a9c41104b9d6be09ec3b1d3699a40803e484977752997a2309a533
Instruction Fuzzy Hash: E54106B5A00605CFDB54CF99C488AAABBF5FB88324F24C459E519AB321D734A841CFA0

Function 02B077E3 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02B086C0

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: c1a572a64cb4fa768db1e9effcb00a5ec1eef2143277d182936d06e038f7162f
Instruction ID: dc6bbc218e196624a20fe5ef7c5a2217fd9b6e6067366c1aa1f21d7e810eecc1
Opcode Fuzzy Hash: c1a572a64cb4fa768db1e9effcb00a5ec1eef2143277d182936d06e038f7162f
Instruction Fuzzy Hash: 2B316BB6C013499FCB11CF99D884ADEBFF4FF88310F15809AD858AB255D7749A04CBA5

Function 066C8950 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 066C89D8

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 32c65cb835e5dd16c7dfb0c37c1759df1a7203a724850fc24a55aab3b205aef0
Instruction ID: bbf009a3cd264e54e3a218ce46fe59b5c49c7e94803b2dff622719eb85b1a286
Opcode Fuzzy Hash: 32c65cb835e5dd16c7dfb0c37c1759df1a7203a724850fc24a55aab3b205aef0
Instruction Fuzzy Hash: B231EFB0D01208DFDB24DF99C984B9EBFF5EB88314F248059E404BB2A4DB74A845CF95

Function 066C6D68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066C6DF7

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fefa6ce404a8c5b865b39b6b20d31c8a2dc3a1f3f34ed61f688d87ed987af0c0
Instruction ID: 3b1f8659e37cbd9a7f2aacebebbc9d6182a2d7506062abd1090d1771f1e0ef37
Opcode Fuzzy Hash: fefa6ce404a8c5b865b39b6b20d31c8a2dc3a1f3f34ed61f688d87ed987af0c0
Instruction Fuzzy Hash: C821E5B5900248EFDB10CFAAD984ADEBFF4EB48320F14841AE954A7351D374A944CFA5

Function 02B07808 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02B086C0

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: a52e5026e3f2bcfc8dc344f23ee019eb72579a13a56b3499b51d080477d7a694
Instruction ID: 2a7511756dfa6c2208a0a4e602e5854fffd523a8aa87b692a27cdaa27d3a292a
Opcode Fuzzy Hash: a52e5026e3f2bcfc8dc344f23ee019eb72579a13a56b3499b51d080477d7a694
Instruction Fuzzy Hash: F62113B6C012089FCB10CF99D884ADEBFF5FB88310F15805AE818AB244D7759A40CBA4

Function 066CA708 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066CA78B

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 214dec22c55b1f5fbd6000ca8d9a97f19cc0a438b60d2373154debb2170c168d
Instruction ID: c43fb548a97a77ccf4787a1005906a76d6febbf299e85cf8f07fa8539235e0f7
Opcode Fuzzy Hash: 214dec22c55b1f5fbd6000ca8d9a97f19cc0a438b60d2373154debb2170c168d
Instruction Fuzzy Hash: 812107B59002099FCB54DFAAD944BEEFBF9FB48320F10842AE455A7250C774A944CFA5

Function 02B08628 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02B086C0

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: e3f16335eedb2ed2559579c97eb5ad323b4939a2394cc67bc8f293f0329bac39
Instruction ID: 717e0c065850c58107854aa1dd61e797ed49a4c4a9d0efb8a0f2b7d61ee8804d
Opcode Fuzzy Hash: e3f16335eedb2ed2559579c97eb5ad323b4939a2394cc67bc8f293f0329bac39
Instruction Fuzzy Hash: 492113B6C01208DFCB01CF99E584ADEBFB1BB88310F25845AE818AB244C7359A40CBA4

Function 066C6D70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066C6DF7

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c8627e71f99277c43c6fa49d41e0bf068e5105c649aeb8d13a3f14f0afdafd0f
Instruction ID: 25f0fad7884d71e75dd178ee0e6dc920c364c12d1147a9152e0ac7db4fed5a87
Opcode Fuzzy Hash: c8627e71f99277c43c6fa49d41e0bf068e5105c649aeb8d13a3f14f0afdafd0f
Instruction Fuzzy Hash: A021B3B59002589FDB10CF9AD984ADEBFF4EB48320F14841AE954A7350D374A954CFA5

Function 066C21D3 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066C2256

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ef496236b937505a52267b25d97a20575be32cc25964b29a733e3a43a3ca1f9
Instruction ID: 0eba89ee5506feddd21b26d506038b3fd0279b6b277339ea7d037a63e624b35d
Opcode Fuzzy Hash: 3ef496236b937505a52267b25d97a20575be32cc25964b29a733e3a43a3ca1f9
Instruction Fuzzy Hash: 1B2138B5C057888FCB11CFAAC854ADEBFF4EF49210F14859AD458A7252C3786545CFA1

Function 066CA710 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066CA78B

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b5c51a29d9760f23b90378bddab9da0453ee32bfba3f1914f635f18ab1b23102
Instruction ID: 0120c9fc22bb37d1d4a9aa752e86ae9ad4e312738be4ef195c286b1540ed5ccb
Opcode Fuzzy Hash: b5c51a29d9760f23b90378bddab9da0453ee32bfba3f1914f635f18ab1b23102
Instruction Fuzzy Hash: D22102B59002099FCB54CF9AC944BEEBBF5FB88320F10842AD459A7250C774A940CFA4

Function 02B08060 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02B080D0

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4ad2a92baed54045780c30fd5410745ecf268b0fb8340c501c23a08a20cd3b3e
Instruction ID: 057e9ff9591e6a16d01ffcbcf1e9b15a02d9acc8c5e17a4ec6954c529d4981d4
Opcode Fuzzy Hash: 4ad2a92baed54045780c30fd5410745ecf268b0fb8340c501c23a08a20cd3b3e
Instruction Fuzzy Hash: 381136B1C006199BCB10CF9AD544B9EFBB4FB48320F10816AD858B7250D778AA40CFA5

Function 02B08058 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02B080D0

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d708fe32e8f3d01c766be5284025834e8fe31eabe14ccd5dddb5d20df84803ef
Instruction ID: 15e5103c5afc8bf1ec50466635b1c5ff94c4472014edb0fbe26146e7eb46f1b2
Opcode Fuzzy Hash: d708fe32e8f3d01c766be5284025834e8fe31eabe14ccd5dddb5d20df84803ef
Instruction Fuzzy Hash: C72136B6C006199BCB10CF99D544BEEFBB4BF08320F14826AD858B7250D338AA40CFA5

Function 02B0F412 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02B0F47F

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fb6e2bd283e9e5c035dceea344bcd816da52553bfc5c0531e95af87c680862a3
Instruction ID: b13e8b48674e467cf138820eb1a73ab8b405f19b59c5b75dd9fc6e65c4b8aa37
Opcode Fuzzy Hash: fb6e2bd283e9e5c035dceea344bcd816da52553bfc5c0531e95af87c680862a3
Instruction Fuzzy Hash: 261133B1D0021A9BCB10CF99C584BDEFBF4BB48320F14816AD818B7290D778A954CFA4

Function 02B0F418 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02B0F47F

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 312a2f305f709caa1e54c2a2584026b0c3316e06acb75419015668ed23caea93
Instruction ID: c2a735ccb3828658c849bfbf8096b456e6b404fab962be0a14d92616ff4925f0
Opcode Fuzzy Hash: 312a2f305f709caa1e54c2a2584026b0c3316e06acb75419015668ed23caea93
Instruction Fuzzy Hash: 201112B1D002699BCB10CF9AC544BDEFBF4FB48320F14816AD818B7250D778A940CFA5

Function 066C0804 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066C2256

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 93ca7d4398a735b088228fc7da531628d70cc4a73a42ef0f425cdc8cbccb4086
Instruction ID: cd1509020cd806346da5f94b39bc75bad68b58473cce4e83aee9e5ef429bbeb3
Opcode Fuzzy Hash: 93ca7d4398a735b088228fc7da531628d70cc4a73a42ef0f425cdc8cbccb4086
Instruction Fuzzy Hash: 851104B5D007498FCB10DF9AD444ADEFBF8EB48324F10842AD929B7610D379A545CFA5

Function 066C8338 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,066C8315), ref: 066C839F

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ef2727669a11fb031f1280cceaa298555cc15535cfb20126976814bfeabc46d0
Instruction ID: 713b6b9d2c87d0c42b20467e0b65c960f5b57f2e939e532c1056acc74341c889
Opcode Fuzzy Hash: ef2727669a11fb031f1280cceaa298555cc15535cfb20126976814bfeabc46d0
Instruction Fuzzy Hash: 091100B5800648DFCB20DF9AD844BDEFFF8EB48324F20845AD959A7250D774A944CFA5

Function 066C7FB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066C885D

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3b29bd532d1d7314a91e635c8ce147f2939ab41e8e2d675a94cffb89d586afce
Instruction ID: db3674bcb18efd8692f7374f116d87454b573b6e2ebdfe42ed3c962e4090a5e8
Opcode Fuzzy Hash: 3b29bd532d1d7314a91e635c8ce147f2939ab41e8e2d675a94cffb89d586afce
Instruction Fuzzy Hash: 0D1103B59007489FDB60DF9AD444B9EBFF4EB48320F208459D519A7610D378A944CFA5

Function 066C7D7C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,066C8315), ref: 066C839F

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f9f26165c5ec35ab39630ef8237f1548eeb3387170ca29997ed4a9bc7d393650
Instruction ID: f1570078ea23685dad4d7b8be812ee224ea4281ddff892dd870a5688c6988ee4
Opcode Fuzzy Hash: f9f26165c5ec35ab39630ef8237f1548eeb3387170ca29997ed4a9bc7d393650
Instruction Fuzzy Hash: 4C1122B1800648CFCB60DF9AC444BEEBFF4EB48320F20842DD919A7250C374A940CFA4

Function 066C8801 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066C885D

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 67a00908331c746784a5806cb779a6f46a3bb20fe1498c8efa5e68c0b401e83a
Instruction ID: cef665858850f92c5f117b0b5e99f1e9f9bfc406fc6a0b910dd3ef198ef4e1b1
Opcode Fuzzy Hash: 67a00908331c746784a5806cb779a6f46a3bb20fe1498c8efa5e68c0b401e83a
Instruction Fuzzy Hash: 201133B0900249CFDB20DFA9D444BDEFFF4EB48324F10845AD458A7610C374A540CFA5

Function 0672DA3D Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PHkq, xrefs: 0672DB99

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: ce87e13637b1c7ef313f080ca34b2fc75929b4d45fbf842bd3e4ea9ea4b8f463
Instruction ID: d3497c02c58c02554cdd340883e51ca9ab02c3c020f402618d3ae66170e57df6
Opcode Fuzzy Hash: ce87e13637b1c7ef313f080ca34b2fc75929b4d45fbf842bd3e4ea9ea4b8f463
Instruction Fuzzy Hash: 7941B170E0031ADFDB61DF65C9546AEBBB6BF85340F204929E401EB380DB75D986CB81

Function 06724708 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06724845

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 0b0f5ec8114f2137e7fb6e9af9a18faebe982cfd9c2606b089c047036c37a28e
Instruction ID: a306369068ab7e9f37133abf33e5a1382dfce1607de91f5428a9e8305ed02888
Opcode Fuzzy Hash: 0b0f5ec8114f2137e7fb6e9af9a18faebe982cfd9c2606b089c047036c37a28e
Instruction Fuzzy Hash: 33417070F002199FEB54DFA5C914BAEBBF7AF88300F208529D506AB399DA748C45CB91

Function 067221C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06722303

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: aa1e98226e0fc4ccc10b36e05cbfd30d129e4919404e53eac638e1c0c2af24cb
Instruction ID: 57b89339209421e3cde9d7c3de63219df5df67f9099a4d3a6c82ce309c946562
Opcode Fuzzy Hash: aa1e98226e0fc4ccc10b36e05cbfd30d129e4919404e53eac638e1c0c2af24cb
Instruction Fuzzy Hash: 4031D030B002168FDB55AF74D65467E7BE6BF89200F208928D406DB396DE36DE45C791

Function 0672FAE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

|, xrefs: 0672FB40

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 5934a79fb7abb77647c98fea10132c1a688818174fde499ffb8e3b3668571fb1
Instruction ID: 26ee3fadc44f037552a6cd85e2da524dd504fdba5d8ba2352574d94858685ee9
Opcode Fuzzy Hash: 5934a79fb7abb77647c98fea10132c1a688818174fde499ffb8e3b3668571fb1
Instruction Fuzzy Hash: 1F117F74B402259FDB54EF789904B9E77F6AF4CB10F108469E60AE73A4DB359D008B90

Function 0672FAF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0672FB40

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: d23122692d65ad75880ad366f2f3c580aeaa72517671e8a30f3da7042554047a
Instruction ID: e2e9cb0339a3b89729449b7d1e369653b9e177362ca5abc455c27754fb01e623
Opcode Fuzzy Hash: d23122692d65ad75880ad366f2f3c580aeaa72517671e8a30f3da7042554047a
Instruction Fuzzy Hash: 18115E70B40225DFDB44AF789914B6E77F6AF4C710F108469E60AD73A4DB3599008B90

Function 06723E51 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e147f2508fddd51b3384767a99e71a80d9db7b22cae5690048afc09a9f23d5
Instruction ID: f689b077bdb5d77f49c41c6fa432f3e608c1c6f55aab36f5a795da24b3ad27ad
Opcode Fuzzy Hash: d0e147f2508fddd51b3384767a99e71a80d9db7b22cae5690048afc09a9f23d5
Instruction Fuzzy Hash: AA817D30B0021A8FDF54DFA8D5546AEB7F6EF89310F108529E50ADB399EB34DC428B91

Function 06725D58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1442f482e665ffae598510858157b579dc528540b36c54a69aa3b0d0fbffcc
Instruction ID: fb8c74c647553cb2edb331ba31307670541ad2149082398603d99fb02342c7bb
Opcode Fuzzy Hash: 3d1442f482e665ffae598510858157b579dc528540b36c54a69aa3b0d0fbffcc
Instruction Fuzzy Hash: B561F3B1F001224FDF519B7DC88466EBADBAFD4610B244439E80ADB379DE65DC0287C1

Function 0672416C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c84304eeb140390e3d27d72741e8bb0ca36c8ccf56c96d156ae79ffd4c5a1e7
Instruction ID: 9808c3820753cc2ebfef583d40ca67aa5f508ad957a09a3022edcec9aaa9dee8
Opcode Fuzzy Hash: 0c84304eeb140390e3d27d72741e8bb0ca36c8ccf56c96d156ae79ffd4c5a1e7
Instruction Fuzzy Hash: 46914E30E1061A8FDF60DF68C890B9DB7B1FF89300F208699D549BB295DB70AA85CF50

Function 06724180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522c4bf573a9ebf3ee377184c321231f42db1fdc90f36a855fdb41ecace0140f
Instruction ID: cf089d7ac59e8797b39fdff8bf194cd76b6c85f64199ae6a560b485197645a31
Opcode Fuzzy Hash: 522c4bf573a9ebf3ee377184c321231f42db1fdc90f36a855fdb41ecace0140f
Instruction Fuzzy Hash: F4913E30E1061A8BDF60DF68C890B9DB7B1FF89310F208599D549BB395DB70AA85CF90

Function 0672EA90 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbba2680362b82f3d34f0b4dec4e0c9e185959a8dfd93ab751e30cd792af916
Instruction ID: d3165c9051606f313170ba322ba6e8ef355457800cb5e02fae2509a005c941ee
Opcode Fuzzy Hash: 5fbba2680362b82f3d34f0b4dec4e0c9e185959a8dfd93ab751e30cd792af916
Instruction Fuzzy Hash: 87714870A002199FCB55DFA8D980AAEFBF6FF88304F248529E505AB355DB30ED46CB50

Function 0672EAA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0c4a643cef6a68522f651b29809c09157531e3d0feea0110f20c08536878c2
Instruction ID: 97451d1f3bb2c4aa6200567bee9095262f9dea70391fb8687da59258c7097f79
Opcode Fuzzy Hash: dd0c4a643cef6a68522f651b29809c09157531e3d0feea0110f20c08536878c2
Instruction Fuzzy Hash: EA711970A002199FCB55DFA9D994AAEBBF6FF84300F248529E405AB355DB30ED46CB50

Function 0672F720 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d620f426b4cdb7e6b577164d028bb480eaa6b0e78d67fbb1af495d7618db76f0
Instruction ID: 53fe979c8b89e12fc06302a9618c6b5bebce35af9adafed4c79d69abc98f569f
Opcode Fuzzy Hash: d620f426b4cdb7e6b577164d028bb480eaa6b0e78d67fbb1af495d7618db76f0
Instruction Fuzzy Hash: DF51D031E4011ADFDF64AF78E5446BDBBB2EF84315F208869D50AE7350DB3A8965CB80

Function 0672F4D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afac7981fb22ac4485a7b425b1e8922ee2cc74c1210c885941b6b6958bd78be
Instruction ID: 6033c070c414a63b2e11f3e8ad23ff913d0fb4610f5c33f57f68694d73760013
Opcode Fuzzy Hash: 2afac7981fb22ac4485a7b425b1e8922ee2cc74c1210c885941b6b6958bd78be
Instruction Fuzzy Hash: 3251EC30B502158FEF655A6CDA9473F36AFE789300F204929E40ED37E8DA2DCC954791

Function 0672F4E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f95af8aee583b8b823a15dba123c974eff97f84c2c31365cdc76b0a664c6c6c
Instruction ID: f1f17266dfe3b5bf9c47a2a6532de7fd6c85739298d53f0aa0cbffb2c737409d
Opcode Fuzzy Hash: 0f95af8aee583b8b823a15dba123c974eff97f84c2c31365cdc76b0a664c6c6c
Instruction Fuzzy Hash: 9D51E930B502258FEF656A6CD99473F36AFE789300F204929E50ED37E8DA2DCC9547A1

Function 06724FC0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccd03cc22445a58cbfc70e5f0f964f2aa249376b7a188f2134bdab1e72b1593
Instruction ID: 44bede21a169559f1eebb9a386fbb7aa0ad8621eda29e18a5d7dc823251201bd
Opcode Fuzzy Hash: 5ccd03cc22445a58cbfc70e5f0f964f2aa249376b7a188f2134bdab1e72b1593
Instruction Fuzzy Hash: 79416B71E1061A8FEB70CFA9DD81ABEFBF1EB44314F10492AD256D7640D330A9458B91

Function 06722078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3f13cd298794e6e53c210b1db2aad5543c6d9d32b3c55953425cda7a8da862
Instruction ID: d2c9237fa04e26a3bc82d797edd4bd6d2f4458ae6f2ad9edc0faa012a5030d69
Opcode Fuzzy Hash: 3d3f13cd298794e6e53c210b1db2aad5543c6d9d32b3c55953425cda7a8da862
Instruction Fuzzy Hash: 9531CF30E102169BCB58CF64D954AAEBBF6FF89300F108929E916E7355DB71ED82CB50

Function 06722088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39897e90638f026c10774baa4eea5ca12ca0c5eee85a51377e7668fc7267af5
Instruction ID: 28f7847fabdd43e7ebb19e5befcdc5287b67b9b4afa1e69dace569d8d25b81bb
Opcode Fuzzy Hash: c39897e90638f026c10774baa4eea5ca12ca0c5eee85a51377e7668fc7267af5
Instruction Fuzzy Hash: BF319A30E102169BCB58CF64D994AAEB7F6FF89300F108929E916E7355DB71ED82CB50

Function 06723A59 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e11986c3b5a21d77eea8a83c0d344cda42a26d62a5844ee66ac5975c7dee47
Instruction ID: 3020606d173751206acf595630ce2c202ba461557e93f0cbdda4680c061662ce
Opcode Fuzzy Hash: d1e11986c3b5a21d77eea8a83c0d344cda42a26d62a5844ee66ac5975c7dee47
Instruction Fuzzy Hash: C8219F75F0121A9FDB50DF68DA80AEEB7F5AB48320F10852AE905E7354E734D940CB90

Function 06723A68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ba4e1e492884df64a77195b8f5d06c742bb4002f93f7ac8b19035e3d720f24
Instruction ID: 105a041d1fabe00d731b04e4582fd4c6cfb9f7bafe8642af96396654dd94130c
Opcode Fuzzy Hash: 05ba4e1e492884df64a77195b8f5d06c742bb4002f93f7ac8b19035e3d720f24
Instruction Fuzzy Hash: 73215C75F0061A9FDB50DF69DA80AAEBBF5FB48720F10812AE905E7354E734D940CB90

Function 0290D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4197131380.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290d000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3062c8afd061fb4dc360d9e0df47a329ac934a383528c967ea064ac2260592c1
Instruction ID: abad83b4a39dac1773be10a8105bf27e6f3195be8aa5b7042eea0d273e4b1170
Opcode Fuzzy Hash: 3062c8afd061fb4dc360d9e0df47a329ac934a383528c967ea064ac2260592c1
Instruction Fuzzy Hash: A521F271604208DFDB14DF54D9C0F26BBB5EB84314F24C969E84E4B296C37AD846CA72

Function 0290D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4197131380.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290d000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176428b4cf0a3ea85567892ac6d22f0f41f1e705c2711b22e9cb7e9498b8eed4
Instruction ID: 81a4d00e55d1c49114af18dd1e987be8220e643b7cf4e687b132bcc305055db3
Opcode Fuzzy Hash: 176428b4cf0a3ea85567892ac6d22f0f41f1e705c2711b22e9cb7e9498b8eed4
Instruction Fuzzy Hash: F3210471604208DFDB48DF54C9C0B26BFAAFB88318F20C56DE8094B291CB36D846C671

Function 0290D007 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4197131380.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290d000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924288f866f68599779ea86aade4a55ff89481ff376ad11ff5206eec6ddf17ae
Instruction ID: 7edca0be15f0a40b1415353419e6ba890811ddab0c9847861fbff18cc869f49c
Opcode Fuzzy Hash: 924288f866f68599779ea86aade4a55ff89481ff376ad11ff5206eec6ddf17ae
Instruction Fuzzy Hash: 7D21487110D3C49FCB038B64D990B11BF75EB46214F29C5DBD8898F2A7C33A980ACB62

Function 06726890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e6adb98762f7e3d1e127355a2d818cb016e9125ed8a0558b42891e13adb6f7
Instruction ID: 73edaa27e4597d24e7eaf0df89a2cf695d35c35ec1eac39f9d8d40c162e3be12
Opcode Fuzzy Hash: c6e6adb98762f7e3d1e127355a2d818cb016e9125ed8a0558b42891e13adb6f7
Instruction Fuzzy Hash: C021B430F1012A9FCF94EB69E9546ADB7B6EF84314F20852AE505DB354DB30ED518B80

Function 06723DB2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a9ac36be08fc37ac4b3f01bc6178aea0a26b77a2cb98cfae74cabcf996daec
Instruction ID: 99800fd12c47f5ae2f1af39e0b22f5253b488ee76c471815c28cfab05b2368a0
Opcode Fuzzy Hash: 07a9ac36be08fc37ac4b3f01bc6178aea0a26b77a2cb98cfae74cabcf996daec
Instruction Fuzzy Hash: 0E019230B041220FD7619A7DD95076BF7DBDBC6A24F24886AE509C7396DE29CD0643A1

Function 06723B78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd744b49e2668cad991ef2274a809a3ca096f4de59392b702cb9c666b6fb0822
Instruction ID: cc7528667f073dcaa030c04cdd23c3702a163dc401cbca0e513254e0095310ab
Opcode Fuzzy Hash: cd744b49e2668cad991ef2274a809a3ca096f4de59392b702cb9c666b6fb0822
Instruction Fuzzy Hash: 8D116135B1052A8BDF549A79D914ABE73ABEBC8610F004539D506E7358EE29DC018BD1

Function 06729E78 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1dcc9213cf9e9f99faaa751c6564b47a6ffe94ea1621c3a58377e2d998cdbe
Instruction ID: fda5792c6ab695f9a251701b2cfd303736a0bd2a8e867e5c697a96a34db07fb6
Opcode Fuzzy Hash: 0a1dcc9213cf9e9f99faaa751c6564b47a6ffe94ea1621c3a58377e2d998cdbe
Instruction Fuzzy Hash: AB11B531F001225FD7A1DA3CE95067BB7E6EB85710F548C2EE28ACB395DA25DD028791

Function 0672ED12 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d519bee592777e3ac1699435331a497054b445842d39501ac6616e6a8353f8
Instruction ID: c38e1bbaff4706a9e215e22c2196fa333fe0e1e69be2925f94010917cadce9f7
Opcode Fuzzy Hash: 77d519bee592777e3ac1699435331a497054b445842d39501ac6616e6a8353f8
Instruction Fuzzy Hash: A901F731F002220FCB66DE7C995073EBBD6DBC5720F248C2AE10ACB395EA25CC024391

Function 06723831 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b320561e182c26fce186ca81bee833bdab19869aefd7c9c29916db2e2be3a7e
Instruction ID: 963c335b2a5acaad77c577a881f402b2c42a62201548bc66072da5c0aeabaaeb
Opcode Fuzzy Hash: 0b320561e182c26fce186ca81bee833bdab19869aefd7c9c29916db2e2be3a7e
Instruction Fuzzy Hash: 2D21CFB5D01219EFCB00DF9AD985ADEFBB4FB48320F10852AE518B7250D374A554CFA5

Function 0290D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4197131380.000000000290D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0290D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_290d000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 7206d9bfa9062f7b03b9141b89df6aaf9ad90b2ad259f29463f493ad775ab53c
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 0C11BF75504284CFDB09CF54D9C4B15BFB2FB88318F24C6ADD8494B696C33AD84ACB61

Function 06723838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c87c0d3fa8a66efc4d10934f67a05f233340af485c436d2e7d525aa2fb0061f
Instruction ID: 2d8c726942b6b5db950b010b1ec4d5c7e47e2ee7b582054de09844af8f0859a9
Opcode Fuzzy Hash: 3c87c0d3fa8a66efc4d10934f67a05f233340af485c436d2e7d525aa2fb0061f
Instruction Fuzzy Hash: C611AFB5D01259AFCB00DF9AD884ADEFBB4FB48324F10812AE918A7250D374A954CFA5

Function 06723DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7431f65106a893eba77f0b86eb45a956a57424ff313e4e2b8e2192d6d3b3fa76
Instruction ID: e79b487c536e21408674984d44b2413e960e3b81dcc6d85388f3c72665be03d3
Opcode Fuzzy Hash: 7431f65106a893eba77f0b86eb45a956a57424ff313e4e2b8e2192d6d3b3fa76
Instruction Fuzzy Hash: 2E018131B000220BDB64997DD45473BF3DBDBC9B20F20883AEA0AC7388EE69DC064391

Function 06723B67 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba880d3c327684c99c607caeb5a217a09dfa64bce8a05ebee707852302353c38
Instruction ID: 62d4ecbd8b21cb017819ccd656819d618160beedc96fa5431b69608c47305109
Opcode Fuzzy Hash: ba880d3c327684c99c607caeb5a217a09dfa64bce8a05ebee707852302353c38
Instruction Fuzzy Hash: 9601F736B100268BDF54DE68CA14AFE73AFDBC8610F04053AC106E3344EE24C90287D0

Function 0672ED20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508c1151328f45c1140b8f2555661acf38bdefbccee3cb31edaa3219a6d89e90
Instruction ID: 2efd96119f59c1e33d9a261fd47be515134e7b03ea3f3957720278a9e98747ae
Opcode Fuzzy Hash: 508c1151328f45c1140b8f2555661acf38bdefbccee3cb31edaa3219a6d89e90
Instruction Fuzzy Hash: EC01AF31B004221BCB659A7DA89473FA7DBDBC9B60F248839E60AC7359EE25DC024391

Function 06729E88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91efb2c30f52419a1fd2eb5dc0616b2b01099ab53a52a60706fb30147f1415e5
Instruction ID: c383ad4cc68c53102bd032df829aa6c8378d737ff509f408d695ffb367c16b21
Opcode Fuzzy Hash: 91efb2c30f52419a1fd2eb5dc0616b2b01099ab53a52a60706fb30147f1415e5
Instruction Fuzzy Hash: 2A018131B000255FDBA0AA7DE95073AB3DAEB85714F548839E60EC7788EE25DC0187D1

Function 0672C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce62fb5cae47c140bc1a8479820e898a8d50ef20659361b0246bdad5391d5fad
Instruction ID: ab7c978c5c61d02487344ad5e49adf55ae80c998af65769853f5fce74099f6cc
Opcode Fuzzy Hash: ce62fb5cae47c140bc1a8479820e898a8d50ef20659361b0246bdad5391d5fad
Instruction Fuzzy Hash: 20F0A032F20238ABDB656965E800AAFB73AE794754F104529E901E7384DB32A8108BC0

Function 06725FE1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4f8b994e2fcd7014e6188f62956ff0b8ed52110ac32045c01ffa2ec465b098
Instruction ID: 7a9ec972b1689ccaa5c3b254db33d456aecee4ba53a64914cb13f1f5834dbb3f
Opcode Fuzzy Hash: bd4f8b994e2fcd7014e6188f62956ff0b8ed52110ac32045c01ffa2ec465b098
Instruction Fuzzy Hash: 3CE0D871D151559BDB60CF70CB857AE77A9EB42304F2049EAD049CB181E637CA029B00

Non-executed Functions

Function 06727218 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 067277BE
$kq, xrefs: 067277A8
$kq, xrefs: 06727709
$kq, xrefs: 067277B4
$kq, xrefs: 067277CA
$kq, xrefs: 06727358
$kq, xrefs: 06727715
$kq, xrefs: 06727389
$kq, xrefs: 0672737D
$kq, xrefs: 0672734C

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 7c509e632c93ca1dcf903c46ce2ca8a978e0346044b7b02802d01a50bd583453
Instruction ID: 68c1b20588d15ba77cf34524adbb0dae7382795831dd94c3407d24a5d219eed0
Opcode Fuzzy Hash: 7c509e632c93ca1dcf903c46ce2ca8a978e0346044b7b02802d01a50bd583453
Instruction Fuzzy Hash: 45122130E0122ACFDB68DF65DA9466EB7F2BF84304F208569D509AB365DB349D85CF80

Function 0672E328 Relevance: 4.3, Strings: 3, Instructions: 574COMMON

Download Yara Rule

Strings

PHkq, xrefs: 0672E588
0oNp, xrefs: 0672E3C0
DqNp, xrefs: 0672E3CC

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: 0oNp$DqNp$PHkq
API String ID: 0-4000632471
Opcode ID: bd7cedeebfaa55b602604a6b739520eaf69f9f6de3ab4c9d6d5129459286bc32
Instruction ID: 989bbb62cb449cbbc2e9ac51a44dc1cfa3c0260dc214c56cfcb0a3edcab67f2d
Opcode Fuzzy Hash: bd7cedeebfaa55b602604a6b739520eaf69f9f6de3ab4c9d6d5129459286bc32
Instruction Fuzzy Hash: 3422C230B101168FDB54DB68D984A6DB7F2FF88310F148969D506DB3A6DB35EC85CB90

Function 0672584F Relevance: 2.9, Strings: 2, Instructions: 422COMMON

Download Yara Rule

Strings

\Opq, xrefs: 0672597B
XPpq, xrefs: 06725B16

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: XPpq$\Opq
API String ID: 0-2429731126
Opcode ID: 547d222a03148fb4eb780284b98b10ddf40b25cbf8bd4ee47530b9574a6c8ac7
Instruction ID: 1ba4c4c53c28621d236bc7e93ff4e241647cdc3e49adc71b6f976662bfbaa8d5
Opcode Fuzzy Hash: 547d222a03148fb4eb780284b98b10ddf40b25cbf8bd4ee47530b9574a6c8ac7
Instruction Fuzzy Hash: 04E10431B101258FEB54DB68C894AAEBBF2FF89310F25846AE546DB392DA31DC45C790

Function 06720007 Relevance: 2.0, Instructions: 1973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0a99d405a9a0099b46c4d57b13708f3295776cf6780d9bd694ac41a1e83f3c
Instruction ID: fd00b3e105b3655d1d262ca02a6ee3e34f4a25637981cacc87181df4b3994038
Opcode Fuzzy Hash: 0c0a99d405a9a0099b46c4d57b13708f3295776cf6780d9bd694ac41a1e83f3c
Instruction Fuzzy Hash: 1F23FC31D10B1A8ECB15EF68C8946ADF7B1FF99300F54D79AD458A7221EB70AAC4CB41

Function 06720040 Relevance: 2.0, Instructions: 1960COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca245f30a41d8ce7e79163bfd6666b71d24b559f7d3e5847bde64d80b6326e8b
Instruction ID: 3c25ac7019334e985bb7fe3102d4d0100c9f838b25f8126360d4ecb2d601d17f
Opcode Fuzzy Hash: ca245f30a41d8ce7e79163bfd6666b71d24b559f7d3e5847bde64d80b6326e8b
Instruction Fuzzy Hash: 5113FC31D10B1A8ACB15EF68C8945ADF7B1FF99300F54D79AE458B7221EB70AAC4CB41

Function 066C28A8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbea6e1300146a7ea692860d49b4d2f8ddc74071671a5bfc2b8d010a33f9a76c
Instruction ID: 1599a779896026e07e3584a90f45b6cc08671cec9ab48ad963e9a5bed7aafcb3
Opcode Fuzzy Hash: bbea6e1300146a7ea692860d49b4d2f8ddc74071671a5bfc2b8d010a33f9a76c
Instruction Fuzzy Hash: 121251B0422B468ED720CF65ED5E18D3FB1BB45328BD04209E2A56A2E5DFBC154BCF44

Function 02B041C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4198187365.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b00000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293b881af76433aab595ef9655bdeaa9669b825689fa594a81be579bcd69a46d
Instruction ID: b24122ecb291526b505ef5e62aae62bf712c330b223b9784fb3af0ea6060ab77
Opcode Fuzzy Hash: 293b881af76433aab595ef9655bdeaa9669b825689fa594a81be579bcd69a46d
Instruction Fuzzy Hash: 6EB15AB0E00209CFDB11DFA9D98579EBFF2EF88314F148169D915A72A4EB749845CF81

Function 066C289B Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4208486254.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66c0000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479aa3dd55307603518a5403383a455494e0655446675827249de02186a0d0ff
Instruction ID: 38eae8b1a78d9cdc46b02efa74c4259fcab5abd52adb69882bc7e6fad2307777
Opcode Fuzzy Hash: 479aa3dd55307603518a5403383a455494e0655446675827249de02186a0d0ff
Instruction Fuzzy Hash: 85C1A2B0822B468ED720CF65ED5A18D7FB1BB85324B944319E1616B2E4DFBC158BCF44

Function 0672A4A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 0672A5AA
$kq, xrefs: 0672A605
$kq, xrefs: 0672A630
$kq, xrefs: 0672A59E
$kq, xrefs: 0672A666
$kq, xrefs: 0672A5F9
$kq, xrefs: 0672A624
$kq, xrefs: 0672A65A

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 834ab48bfbbc4ba9366b8583c2a55426707181dfcbd2a85c4fad07cbb394024e
Instruction ID: 0a199fd714a46580f2e7512f8e2ed19c8e31eea48e646f193476bac8c58688de
Opcode Fuzzy Hash: 834ab48bfbbc4ba9366b8583c2a55426707181dfcbd2a85c4fad07cbb394024e
Instruction Fuzzy Hash: 9C916E30A1121ADFDB64EF69DA94B7EBBF2AF44304F208529D40197399DB399D81CB90

Function 06726C18 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 0672712C
$kq, xrefs: 067270B4
$kq, xrefs: 06726F60
$kq, xrefs: 06727120
$kq, xrefs: 06726EFA
$kq, xrefs: 06726F54

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 0fc89cf6dfc0938a527d096d84915e4530f1e8d9059eb2c685a07dfc9eb3a4a6
Instruction ID: c551a4beaa9b94a59c7deeeef463fae1c8da2603a2782e29e8d2fbc3014825bf
Opcode Fuzzy Hash: 0fc89cf6dfc0938a527d096d84915e4530f1e8d9059eb2c685a07dfc9eb3a4a6
Instruction Fuzzy Hash: 64F13134A00215CFDB59EF64DA94A6EBBB3FF84304F248569D4059B399DB35EC86CB80

Function 0672B978 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$kq, xrefs: 0672BB53
$kq, xrefs: 0672BAEB
$kq, xrefs: 0672BB1F
$kq, xrefs: 0672BB5F
$kq, xrefs: 0672BB2B
$kq, xrefs: 0672BAF7

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 7bf4843e0e3b111839d7542e39f1e342532329677423c8fa1975983b6f996693
Instruction ID: b7ee885d746d849029fd4c0734eb6e67afb1836943a20a09ba23ade0a7929581
Opcode Fuzzy Hash: 7bf4843e0e3b111839d7542e39f1e342532329677423c8fa1975983b6f996693
Instruction Fuzzy Hash: 0171B230A1022ACFDB68DF68D59066EB7B6FF84708F108929D406DB359DB35ED45CB80

Function 06727F50 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 067281B6
$kq, xrefs: 0672821B
$kq, xrefs: 067281AA
$kq, xrefs: 0672820F

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 13888df3ccc116294bfc91bf866ce5bda559fe82a6aef4be96d9d34d4179501f
Instruction ID: 852b55a7f4d3b130c98129e6f0a264f350e2ce2c63415c7e5436cb826513bd74
Opcode Fuzzy Hash: 13888df3ccc116294bfc91bf866ce5bda559fe82a6aef4be96d9d34d4179501f
Instruction Fuzzy Hash: 0EB14F30E012198FDB64EF69D99066EBBB2FF84300F248969D405DB395DB75DC86CB81

Function 0672E312 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

], xrefs: 0672E302
PHkq, xrefs: 0672E588
0oNp, xrefs: 0672E3C0
DqNp, xrefs: 0672E3CC

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: 0oNp$DqNp$PHkq$]
API String ID: 0-3879191310
Opcode ID: 1d793bbcedd410716e6c744bb3de66e5d24960c40b2654e84103d9a7a7961543
Instruction ID: 7ca8a23b00894c0a54533457dd34c72b1e5d5e690367d1044d26aa7a69a65971
Opcode Fuzzy Hash: 1d793bbcedd410716e6c744bb3de66e5d24960c40b2654e84103d9a7a7961543
Instruction Fuzzy Hash: 388167307101118FCB54DF29D988A6DBBE2FF89315B2185A9E906DB3B6DB31EC45CB50

Function 06728368 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$kq, xrefs: 067283E7
LRkq, xrefs: 0672845B
LRkq, xrefs: 067284AA
$kq, xrefs: 067283F3

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 77c08427f292506262a2e93556ddfa51cd0aa787aa4a64f6b539b2e21ff49eb6
Instruction ID: 26f0cdfa9ff93661a22c1c77051ccc167d72da5ffb712d78aa466a8f3d5c3a70
Opcode Fuzzy Hash: 77c08427f292506262a2e93556ddfa51cd0aa787aa4a64f6b539b2e21ff49eb6
Instruction Fuzzy Hash: 1C518330B002168FDB55EF68DA40A6EB7E6FF84304F14C969E4069B3A9DA31ED44CB91

Function 0672A828 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$kq, xrefs: 0672AA04
$kq, xrefs: 0672A9DB
$kq, xrefs: 0672A9AC
$kq, xrefs: 0672A959

Memory Dump Source

Source File: 00000001.00000002.4208882831.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6720000_Ship Docs YINGHAI-MANE PO 240786.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 30e68273ee72a881f0f5059a67d50e5c3934a86da8de5197024cd3f3775c215b
Instruction ID: 3a55d211a1bd59ba637adf599bb64e2eb38301f12c1df13dee324eefc6939e1e
Opcode Fuzzy Hash: 30e68273ee72a881f0f5059a67d50e5c3934a86da8de5197024cd3f3775c215b
Instruction Fuzzy Hash: 98517E30E102168FCF65EB68D6806AEB7B2EF88300F25896AD445E7355DB35DC42CF91

Analysis Process: adobe.exePID: 3844, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	55%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	92
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01160000 Relevance: 13.9, APIs: 9, Instructions: 353
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01160054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 01160167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 01160192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 011601C9
WriteProcessMemory.KERNELBASE ref: 01160217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 011602FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 01160355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 011603A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 011603EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0116040C

Memory Dump Source

Source File: 00000002.00000002.1889208211.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1160000_adobe.jbxd

Similarity

API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
String ID:
API String ID: 2814188497-0
Opcode ID: d2e3399e7e2e803baa44f49aead7ea5148095292141855194726177a5406df7e
Instruction ID: 38f94cd813db0990e401e1186450574e6ab39dcbd160e9cf4400e9e3a48c6a3e
Opcode Fuzzy Hash: d2e3399e7e2e803baa44f49aead7ea5148095292141855194726177a5406df7e
Instruction Fuzzy Hash: 83B1FD74790245BFE62977F1DC16F293729DF6AB0DF1480A9F2005F1D2CBA359318662

Function 01160054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01160420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01160083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0116043F

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 01160167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 01160192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 011601C9
WriteProcessMemory.KERNELBASE ref: 01160217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 011602FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 01160355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 011603A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 011603EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0116040C

Memory Dump Source

Source File: 00000002.00000002.1889208211.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1160000_adobe.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
String ID:
API String ID: 4009322845-0
Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction ID: ff3851283a4aeb50dbc897e90b3c9f03a7a6fb6cd372fed955d63ff762fba4fe
Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction Fuzzy Hash: 7FA1CA74790206BFE62977F1DC46F393619DFA9B0DF2081A8F2006F1D1CBA369319662

Function 01050AC9 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 01050B3B

Memory Dump Source

Source File: 00000002.00000002.1889069060.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 43d4c2a87c81ead8e61386fbe3240dac938f399df91be5984ac657ac8eaf501e
Instruction ID: 379ceb35b6f078f4629eaf9ef2095dbff9c762763920b806a04471705c5be997
Opcode Fuzzy Hash: 43d4c2a87c81ead8e61386fbe3240dac938f399df91be5984ac657ac8eaf501e
Instruction Fuzzy Hash: E81132B5800248DFCB10CF9AD884BDEBFF8EB49324F20845AE958A7250D375A944CFA0

Function 010504C0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 01050B3B

Memory Dump Source

Source File: 00000002.00000002.1889069060.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4fee218bcfb4459fd09b34481589b3ae0ddda8c83116be97e795487b15b7ffa8
Instruction ID: 5ad5e3c5e0e00b0e8505b0424af9f3efc947b8f56dca6b140bef9189b4be65f1
Opcode Fuzzy Hash: 4fee218bcfb4459fd09b34481589b3ae0ddda8c83116be97e795487b15b7ffa8
Instruction Fuzzy Hash: 511143B5804248DFCB10CF8AC884BDFBFF4EB48320F208429EA59A7210D375A940CFA4

Function 01050971 Relevance: 1.4, APIs: 1, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,0105090A,00000040,00001000), ref: 01050A90

Memory Dump Source

Source File: 00000002.00000002.1889069060.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dc4726bbfac302aaee307073c5f4c4fa5cb4a32f608866a7eece8b71de78ddaf
Instruction ID: c757e769b21c46d8437f67d6b4f1ef3653985b34af4c886684b18ee0ef72b480
Opcode Fuzzy Hash: dc4726bbfac302aaee307073c5f4c4fa5cb4a32f608866a7eece8b71de78ddaf
Instruction Fuzzy Hash: 074169756002448FC750DF69C948A9EBFF5FF89310F2584AAE549DB366CB34AC05CBA0

Function 010504B4 Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,0105090A,00000040,00001000), ref: 01050A90

Memory Dump Source

Source File: 00000002.00000002.1889069060.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1050000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fb275a1bd1b5ca4ab6a8b9505d72dcc51c30c886c84d0382e0000c5f384e9a31
Instruction ID: 1e59f5749d9d07278d756eec08609cda479cb03b07e583e0d7e3a789b952a9c8
Opcode Fuzzy Hash: fb275a1bd1b5ca4ab6a8b9505d72dcc51c30c886c84d0382e0000c5f384e9a31
Instruction Fuzzy Hash: CF1102B5900649DFCB60DF9AC444BDEBBF4EB48320F208429E998A7251D375A944CFA4

Function 01160420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01160083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0116043F

Memory Dump Source

Source File: 00000002.00000002.1889208211.0000000001160000.00000040.00001000.00020000.00000000.sdmp, Offset: 01160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1160000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction ID: 5204583de08a020ad300c5f23111049483c5f029da7765cc3e85193ed1667988
Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction Fuzzy Hash: 14D022702843027AF2267BB14C02F283684EF58B0EF400894F304380E0C7BB98380256

Analysis Process: adobe.exePID: 6332, Parent PID: 3844COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	66
Total number of Limit Nodes:	9

Executed Functions

Function 06D22750 Relevance: 9.0, Strings: 6, Instructions: 1483COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D23B17
$kq, xrefs: 06D23B70
$kq, xrefs: 06D23B64
$kq, xrefs: 06D23B40
$kq, xrefs: 06D23B23
$kq, xrefs: 06D23B4C

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 3c0e6190202dc1ecf41c40c3fba7b8503e6b447e594934ce56377b8dff236922
Instruction ID: a3cef259703eb94986cce5b025c91b6148f29bae9fcc6a141a43af4fba6eb05a
Opcode Fuzzy Hash: 3c0e6190202dc1ecf41c40c3fba7b8503e6b447e594934ce56377b8dff236922
Instruction Fuzzy Hash: 28D26C30E002168FCB64DF68C584A9DB7F2FF99314F5585A9E409AB365EB34ED85CB80

Function 06D2B1A8 Relevance: 8.3, Strings: 6, Instructions: 768COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D2BB5F
$kq, xrefs: 06D2BAEB
$kq, xrefs: 06D2BAF7
$kq, xrefs: 06D2BB1F
$kq, xrefs: 06D2BB2B
$kq, xrefs: 06D2BB53

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 071c3275bfbf1074e14e402f260099f1858904a97c48453d359a0a4c90ccbe3a
Instruction ID: dbcf1a1af796116d03141eab932ea543dcac53345bd91f15d47c04c280eaa645
Opcode Fuzzy Hash: 071c3275bfbf1074e14e402f260099f1858904a97c48453d359a0a4c90ccbe3a
Instruction Fuzzy Hash: 6452A030E1021A8FDF64DB68D5807AEB7B2FB95318F208826D405EB395DAB5DC81CB91

Function 06D27CF8 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D28041
$kq, xrefs: 06D28035

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 8544c32292028a31f1188f408b94aa12364941ae2acb1837e029adba1fca72a9
Instruction ID: 61027b6e962f052e73649403e07f52303e077d22989edcb5dfe6e39ab50cfaa4
Opcode Fuzzy Hash: 8544c32292028a31f1188f408b94aa12364941ae2acb1837e029adba1fca72a9
Instruction Fuzzy Hash: 3402AE30B002169FCB64DB69D5946AEB7F2FF94314F148469D406DB398EB35EC86CB90

Function 06D26560 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2977e8b1b9a51d23de0109d4c4194279581db989ad4f2f77ae51bb0ebb79159
Instruction ID: 1bead983f484d85765956ce32f3527327509c99b778ee821f2081c10c2b79c88
Opcode Fuzzy Hash: c2977e8b1b9a51d23de0109d4c4194279581db989ad4f2f77ae51bb0ebb79159
Instruction Fuzzy Hash: 77628D30B002668FDB54DB68D594AADB7F2FF98318F248469E406DB394DB35EC46CB90

Function 06D2C0F8 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1a4b9c1359d80e37eb141fe7baebf296d8847f98ef58dfe5eded0806c13bf3
Instruction ID: 0584126d42cb2e261f2efbde042124edfae2a25e0f98f9f9832f02ca1d545d1d
Opcode Fuzzy Hash: fb1a4b9c1359d80e37eb141fe7baebf296d8847f98ef58dfe5eded0806c13bf3
Instruction Fuzzy Hash: 78328230B2021A8FDF94DB68D994BAEB7B2FB98314F508529D405E7355DB35EC82CB90

Function 06D25550 Relevance: .6, Instructions: 580COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2537694e30994812526ed8411933db7da377bf4564e70022c2536d13b3015b63
Instruction ID: 087d1a0f584f26f4aca4cf5d69345d67172366492b50907a3cca7882e4b7599a
Opcode Fuzzy Hash: 2537694e30994812526ed8411933db7da377bf4564e70022c2536d13b3015b63
Instruction Fuzzy Hash: FF12E371F102269FDF60DB68E980B6EB7B2EF94314F248469D816DB395DA34EC41CB90

Function 06D2AC40 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D2ADEF
$kq, xrefs: 06D2AD61
$kq, xrefs: 06D2ADC0
$kq, xrefs: 06D2ADB4
$kq, xrefs: 06D2ADE3
$kq, xrefs: 06D2AE0C
$kq, xrefs: 06D2AE18
$kq, xrefs: 06D2AD6D

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 76d48437d35923909dae58e58ca92df8115d1465218a2397ec485a16a4e75f25
Instruction ID: 79d0eb1011659b7a5a6609e31ab7af131956b551df481964ababb0989a718f12
Opcode Fuzzy Hash: 76d48437d35923909dae58e58ca92df8115d1465218a2397ec485a16a4e75f25
Instruction Fuzzy Hash: 70E18E30F1021A8FDB69DBA9D5806AEB7B2FF94304F24852AD405DB354DB75DC86CB90

Function 06D290C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D2914A
$kq, xrefs: 06D2911B
$kq, xrefs: 06D29156
$kq, xrefs: 06D2910F

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 269283b4f3f026927c65f5c4f1db6b237ac0feb5d12c7aa604c25cbf45513066
Instruction ID: 761c3682142372bcaf250aa867659ca5b7402f6a83db5c84132ccb54384ceb6b
Opcode Fuzzy Hash: 269283b4f3f026927c65f5c4f1db6b237ac0feb5d12c7aa604c25cbf45513066
Instruction Fuzzy Hash: 77914030F1021A8FDB64DF6AD96076EB3F6FB84254F508469D409AB398EB74DC45CB90

Function 06D2CEC8 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D2D2BF
$kq, xrefs: 06D2D2C7
$kq, xrefs: 06D2D2D3

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: b3adbb2a91b8a86c0e6b84b73e6fc52b1f46c4263012976752a3648e4226cd99
Instruction ID: 7a9e23657bcdeacbc2bb06cb68baaad3b55a2b90075b3b0c962821e1c9402ff2
Opcode Fuzzy Hash: b3adbb2a91b8a86c0e6b84b73e6fc52b1f46c4263012976752a3648e4226cd99
Instruction Fuzzy Hash: 92622E30B002168FCB55DF68E694A5EB7F2FF84354B208A68D4059F369DB75ED86CB80

Function 06D24B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Opq, xrefs: 06D24CCF
fpq, xrefs: 06D25225
XPpq, xrefs: 06D24C45

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: a6b7c506773a7cc79e71492556baf1627e32d3199e46b70b86dcd3ebeebff488
Instruction ID: 2efe148194c68ac2a62a8e492541cb02c0acc28a06ba3812e93297d59d72a578
Opcode Fuzzy Hash: a6b7c506773a7cc79e71492556baf1627e32d3199e46b70b86dcd3ebeebff488
Instruction Fuzzy Hash: EC616470F0021A9FEB54DBA9D4547AEBAF6FF98300F208429D506AB395DF758C458F90

Function 06D290B9 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06D2914A
$kq, xrefs: 06D2910F

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: a4738347624e1e071bfeb6fc06cdc232305c5edeebe2a97189deb6d21686ba93
Instruction ID: 8e0d4258a3e9fa13976fa9c91efab4496e03097849a574c10c1c2a5ca94368bc
Opcode Fuzzy Hash: a4738347624e1e071bfeb6fc06cdc232305c5edeebe2a97189deb6d21686ba93
Instruction Fuzzy Hash: EC515F30B102168FDB54DF7AD9A476EB3F6EB88650F508469D40ADB398EA74EC41CB90

Function 0194EDDB Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0194EE7F

Memory Dump Source

Source File: 00000003.00000002.1972251462.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 741c717472811674faa6cc8c96bf3ea72edaed7bfd925307ad2bc786a986435d
Instruction ID: b00ac5ce20c6ec01d54a057ca51cb1de9ab2858aa50f85c079df938c95d00dfd
Opcode Fuzzy Hash: 741c717472811674faa6cc8c96bf3ea72edaed7bfd925307ad2bc786a986435d
Instruction Fuzzy Hash: 1231ABB2D002598FDB10DFA9D8447DEBBB4BF48220F14812AD958A7341E3389985CBE1

Function 0194EE18 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0194EE7F

Memory Dump Source

Source File: 00000003.00000002.1972251462.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1940000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e3175ce5f97424d8048495edfcf8b0f71af48ef0593db0088126a03b16af126e
Instruction ID: b91575375019f67e204c88761b38451e11eeaffdc3e3545148cff7a28ce8b3af
Opcode Fuzzy Hash: e3175ce5f97424d8048495edfcf8b0f71af48ef0593db0088126a03b16af126e
Instruction Fuzzy Hash: 1311EFB1C006699BCB10DF9AC544BDEFBF4BB48324F15816AD918A7250D378A944CFA5

Function 06D24B09 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPpq, xrefs: 06D24C45

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 025ccdb98cb787b5f6c5f17d8edc146b30ef5c60f857ea42061b59e0f5877978
Instruction ID: cdb3d48c6069e18ee68c0f66910693ba58fa18f5aa1824495b123fa9a4be2526
Opcode Fuzzy Hash: 025ccdb98cb787b5f6c5f17d8edc146b30ef5c60f857ea42061b59e0f5877978
Instruction Fuzzy Hash: DD416170F102199FDB55DFA9C814BAEBAF6FF88700F20852AD505AB3A5DE749C05CB90

Function 06D2DA50 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 06D2DB99

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: a592e833b4b93d2db9e635e0208e890a88a71bd407ce5abd87542854b8b8294f
Instruction ID: 40cac0d19edc3683b4ad71d319d46095b868c0896af33646916f15a2cbc0764a
Opcode Fuzzy Hash: a592e833b4b93d2db9e635e0208e890a88a71bd407ce5abd87542854b8b8294f
Instruction Fuzzy Hash: 9041AF30E0021ADFDB64DFA5C594A9EBBB6FF95344F208429E405EB344DB70D946CB80

Function 06D2DA47 Relevance: 1.4, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 06D2DB99

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 4f1a9cef404b5377ad8977ed13eba6063e05c1b7e64bf1203ee20f5cbb5f224b
Instruction ID: e32114a67ef5a58569d22d1173d33f5cf1b01c5fac6c2d42e16ec56a1613cc0f
Opcode Fuzzy Hash: 4f1a9cef404b5377ad8977ed13eba6063e05c1b7e64bf1203ee20f5cbb5f224b
Instruction Fuzzy Hash: 3041BF30E10216DFDF65DFA4C594A9EBBB6FF95344F208529E402EB244EB70E946CB80

Function 06D221B5 Relevance: 1.4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 06D22303

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: de10bacd8d1a5df6f5d716506bc536183156769cadaaa396ba61ceba8a574be1
Instruction ID: 5db361906ab5f04252ef325ab6ad01da69205173254d0b2c68f104f3840436c5
Opcode Fuzzy Hash: de10bacd8d1a5df6f5d716506bc536183156769cadaaa396ba61ceba8a574be1
Instruction Fuzzy Hash: E3310331B002128FDB699B74D61426E7BE2BF89314F148528E402DB394EF35CE45CB91

Function 06D221C8 Relevance: 1.4, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 06D22303

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 398558a836b4afc4baa65911c607d319fe0c251b37565fa8905c6425e5699a22
Instruction ID: 30c572819555fc1b0c158f55c78c88299d6a8c53816164c7163bf672b4fb81a5
Opcode Fuzzy Hash: 398558a836b4afc4baa65911c607d319fe0c251b37565fa8905c6425e5699a22
Instruction Fuzzy Hash: 9331CF30B002128FDB699B74D55466E7BE6BF89314F208428E406DB394EF36DE45CB91

Function 06D2FEEF Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

|, xrefs: 06D2FF48

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 002b41a36909ce998b5532a17d1724033c4cb2ad28a619507ebb4ccd18d14c05
Instruction ID: a3ce706e5b97c0b8406f752d9d294800fdd388866439fc5c9e4df25b035cf52c
Opcode Fuzzy Hash: 002b41a36909ce998b5532a17d1724033c4cb2ad28a619507ebb4ccd18d14c05
Instruction Fuzzy Hash: 52114675F102218FDB54AF789905BAE7BF1AB88610F10846AE90AE73A4DB359900CB90

Function 06D2FEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06D2FF48

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 7b8e6a9ccca9c9bc1ec2bca70a7a121ecd414c9a754bc19e32afa24fe08754b3
Instruction ID: 95a45a16078109eab5d92db798cd69622e68827253f827c66d2813558d4d686b
Opcode Fuzzy Hash: 7b8e6a9ccca9c9bc1ec2bca70a7a121ecd414c9a754bc19e32afa24fe08754b3
Instruction Fuzzy Hash: 3B115B71F502259FDB449F788804BAEBBF5AF88710F10846AE54AE73A0DB359D00CB90

Function 06D2B198 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f8a573342f1fb3b0b208ae671d4d3a6a160bbf7bac732149f70587fb06c017
Instruction ID: ae0ccb77ab05437cf23d606f31a5906c84366f3157ac9843974b6f7b4ec69bb5
Opcode Fuzzy Hash: 16f8a573342f1fb3b0b208ae671d4d3a6a160bbf7bac732149f70587fb06c017
Instruction Fuzzy Hash: A5A1F770F0021A8FDF64DB98D5807AEB7B6FF99318F604826E405EB395CA79DC818751

Function 06D26158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0251c313796bfde51ed23f75d065efa3b01486f1d2c55a7d3cdd93351984733f
Instruction ID: e23eed5a9a95d5639088072af9fa0ed95d89f6ce2ab288e6ac0b596b0183056e
Opcode Fuzzy Hash: 0251c313796bfde51ed23f75d065efa3b01486f1d2c55a7d3cdd93351984733f
Instruction Fuzzy Hash: 7561F5B1F002224FCF559B7DC88066EBADBAFD4624B144439E80ADB379DE65EC4287C1

Function 06D24251 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc5156b6c4cdeeabf49e905a5ebf678259419d9f84b33d4b3c2c4525dafd2e7
Instruction ID: a7665132155d82f3fdc6ef6f86d520e3bd86974ef4220b4912eaf2a276bfc534
Opcode Fuzzy Hash: 0cc5156b6c4cdeeabf49e905a5ebf678259419d9f84b33d4b3c2c4525dafd2e7
Instruction Fuzzy Hash: B0813930B1021A8FCF54DFA9D5546AEB7F6EF95304F508429D80ADB398EB74DC468B90

Function 06D24260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22de67322bb7b81eefd2f4cdcbd7b44a0fb22518181f0240c23ea2ed16fde5a6
Instruction ID: 6d973250711d6bfdbfb494d7cbc9837fd5948351c11fade8c4c26e45d2d798a7
Opcode Fuzzy Hash: 22de67322bb7b81eefd2f4cdcbd7b44a0fb22518181f0240c23ea2ed16fde5a6
Instruction Fuzzy Hash: 6C813830B1021A8FDF54DFA9D55466EB7F6AF99304F108429D80ADB398EF74DC428B91

Function 06D2456C Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32c75f42da4c28f72781d97fd5cf8c8bea65cbb0aeadb81cca31c09888d0d98
Instruction ID: f94c7d90eae63eef6b8175c04be0955a5acaccd8f4ee6f92cf1642e6a6470418
Opcode Fuzzy Hash: f32c75f42da4c28f72781d97fd5cf8c8bea65cbb0aeadb81cca31c09888d0d98
Instruction Fuzzy Hash: C7915E30E1021A8FDF60DF68C890B9DB7B1FF99304F208599D559AB395DB70AA85CF90

Function 06D24580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38354259bd3ada725ce04c7788c7a0fdb63292017ad14109f64fe4f8a054348
Instruction ID: 2c5ebf5270a23ff9bf09964eca4d3e6eb7cf8838b4aed02db81857e09457d440
Opcode Fuzzy Hash: d38354259bd3ada725ce04c7788c7a0fdb63292017ad14109f64fe4f8a054348
Instruction Fuzzy Hash: 5D916D30E1021A8FDF60DF68C880B9DB7B1FF99304F208599D559AB395DB70AA85CF90

Function 06D2EEA3 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265dcf8da62ede9bbcf3136b625e6f3c57d7e33c9f6db184a3fb81aa26f3f7c1
Instruction ID: 29ff7014fba391be90513b8cbc4856a607fd11131ec01e6e08ce803cd6281ca5
Opcode Fuzzy Hash: 265dcf8da62ede9bbcf3136b625e6f3c57d7e33c9f6db184a3fb81aa26f3f7c1
Instruction Fuzzy Hash: B1714C70B0021A9FDB55DBA9D980A9EBBF6FF98304F148829D405EB355DB30EC46CB50

Function 06D2EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ce610ccf2f2c151a26a6b2c8fdedbec9858edc814b589822e6287151edd69f
Instruction ID: 6bb3ee295a25b10b109e7f3c827bffddce3bff5906aecfffd5baca8f0f5adf59
Opcode Fuzzy Hash: 73ce610ccf2f2c151a26a6b2c8fdedbec9858edc814b589822e6287151edd69f
Instruction Fuzzy Hash: 48712B70B0021A9FDB55DBA9D980A9EBBF6FF98304F148829D405EB355DB31EC46CB50

Function 06D2FB38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55200107e731bffe81b996db1a57d6ee471f546d92d48343e76ad2479e233552
Instruction ID: fc6154f1f678d77953a04b51b2c087e53d5c45de2be17dc934d3302e6f3070bf
Opcode Fuzzy Hash: 55200107e731bffe81b996db1a57d6ee471f546d92d48343e76ad2479e233552
Instruction Fuzzy Hash: 7D51CF31E40116DFCF64ABB8E4946ADBBB2FF94319F208C69D11AE7350DB359845CB80

Function 06D2F8D9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d676988bc224aaeb7204be62fa81c65495a931290412ecc8fa8b58de7a8712
Instruction ID: 98e4ffe9d4386c0a06deaedd4d6072d847ed6a234f9c1889f7e188848f203ac0
Opcode Fuzzy Hash: c6d676988bc224aaeb7204be62fa81c65495a931290412ecc8fa8b58de7a8712
Instruction Fuzzy Hash: D451F670B602259FEF645BACD954B2F2A6ED7D9314F204C2EE00AD73E4CD29CC8547A2

Function 06D2F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8600f869a28c1bf3e1894cdb02a261187db17a33ef7e629e7820682f6a3b81c
Instruction ID: b5e873be7260fe6663199c5b5966f5bb7746e6a227788dc5e838892a17efcbab
Opcode Fuzzy Hash: a8600f869a28c1bf3e1894cdb02a261187db17a33ef7e629e7820682f6a3b81c
Instruction Fuzzy Hash: DB51C670B602259FEF645BACD958B2F266ED7DD714F204C2AE00AD73E4CD29CC8547A2

Function 06D253D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50d0307746e0065250d7b0c68b0421b373dda733b62fad8884b160f0abfb2a7
Instruction ID: 54f248268fc025167c9d397fa37bd4c41d414d35b9f99032a04bf77d8e233c4c
Opcode Fuzzy Hash: e50d0307746e0065250d7b0c68b0421b373dda733b62fad8884b160f0abfb2a7
Instruction Fuzzy Hash: 65413D71E0061A9FDF70CF99E880AAFFBB2FB98314F10492AD156D7650D331E8568B90

Function 06D2FB33 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c619e1fc8929adceb29f37221ea9878d4c63e91fa37ca167146bd1b81a0e9d3
Instruction ID: ebb52a53adcf6bea4da16bd2d7472596a5e3fa74fb02c39d0793107696dc3f1d
Opcode Fuzzy Hash: 6c619e1fc8929adceb29f37221ea9878d4c63e91fa37ca167146bd1b81a0e9d3
Instruction Fuzzy Hash: 5931F631F101228FDFA857BCD89475E72A6EBD8215F204C3AD40ED7394DA35CC428791

Function 06D22088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4333fee0c90d4d32f76614ad0157d5e06cb94e5ff101be534799af8574920efb
Instruction ID: 380841143ec77dc1472d045c29c60f20cbfafba10799b79e070cd49dbd8a66d0
Opcode Fuzzy Hash: 4333fee0c90d4d32f76614ad0157d5e06cb94e5ff101be534799af8574920efb
Instruction Fuzzy Hash: 52317270E102169BCB19CF68D994A9EB7B2FF89300F108929F805E7354DB71ED86CB50

Function 06D22085 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a467a502fa02675421f7a662b8c65dc304d1e6248bc5f0bc67594d9de50deed5
Instruction ID: c24e059967e7d774ea239cca807a8f318fa41bd1e8771172dc68b33f736a2f7f
Opcode Fuzzy Hash: a467a502fa02675421f7a662b8c65dc304d1e6248bc5f0bc67594d9de50deed5
Instruction Fuzzy Hash: 3B317270E102169BCB19CFA8D994A9EB7B2FF89300F10C929E805E7354DB71ED86CB50

Function 06D23E58 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf13ac723b7a52917f03496e55999e509c9ed245d86e75b82bfda053bb6cddc
Instruction ID: 8bf02ee3c63349a713226644e0c5ee554f1437049df4d95875180a5dc6eb3b29
Opcode Fuzzy Hash: 1bf13ac723b7a52917f03496e55999e509c9ed245d86e75b82bfda053bb6cddc
Instruction Fuzzy Hash: D7216D72F112169FDB40DF69E941AAEB7F1FB48310F10806AE915E7350EB34DD458B90

Function 06D23E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f45bc77a42ebf78d3169b94aaef319f8a390a6aba1c6630bbc05984f6fe9954
Instruction ID: 958cf1b7a986887430b6e3362d43dcfc872ec43fc6632c513846e61ff197d272
Opcode Fuzzy Hash: 9f45bc77a42ebf78d3169b94aaef319f8a390a6aba1c6630bbc05984f6fe9954
Instruction Fuzzy Hash: 6A217A76F012169FDB40DF69E980AAEB7F1FB48310F11802AE916E7350EB38DC448B90

Function 0151D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1971675807.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_151d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58acd1a66e9aede92206384511c46040792e3680e044a19d7bc07399be218b31
Instruction ID: ce9b10aa63026c3f30150100523d83e7ca988cc7a09d69295c17f60ccf8cefdd
Opcode Fuzzy Hash: 58acd1a66e9aede92206384511c46040792e3680e044a19d7bc07399be218b31
Instruction Fuzzy Hash: 5B213475504200DFEB12DF58D9C8B2ABBB5FB84314F20CA6DD8094F25AD33AD847CA62

Function 0151D006 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1971675807.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_151d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f8b5d8b3e95719989e1d3f6a44657f5183497a0e8ac6ea970d7b52e3181618
Instruction ID: 3ab929fd5da7274934b8bee762675b7df6e660a4a2ae1f95b6d5e64b899e856b
Opcode Fuzzy Hash: 87f8b5d8b3e95719989e1d3f6a44657f5183497a0e8ac6ea970d7b52e3181618
Instruction Fuzzy Hash: 51217C750093C09FDB03CB64C994B15BF71AB46214F29C5DBD8888F2A7C23A980ACB62

Function 06D23F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc610b8ba4dc47000641616f4ccff99368e2fd248623c204fec219d6de44e17
Instruction ID: 21ab8d15d6000038387645bddde661be4e6fadede5d2b9862a0d8f1e3a482d9f
Opcode Fuzzy Hash: 0bc610b8ba4dc47000641616f4ccff99368e2fd248623c204fec219d6de44e17
Instruction Fuzzy Hash: 0A118E32B101258FDF549A68E8186AF73FAEBD8711B11453AD406E7358EE79DC028BE1

Function 06D241B1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31f9b8aa6c7fac0e6616ad6ca53796936fbf4849fa4af009144554f032ac35d
Instruction ID: 19cc46cfbcbeb328917c6146c4dd3146f1cc620b5bdf8e54b3ccc39f6d5b1dd2
Opcode Fuzzy Hash: f31f9b8aa6c7fac0e6616ad6ca53796936fbf4849fa4af009144554f032ac35d
Instruction Fuzzy Hash: 3D014731B100210FCB6086BED81172BB6CAEBC4750F10C43AF90AC7340ED22DC434390

Function 06D23C30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a270088d6c15230f6174adbed6f9f952e3f1d14c8b9f45c23445da1bcffed257
Instruction ID: 15fa1a405059853d9822e6dd02b19701897aec5eab50629ccb4c4fe932d16e50
Opcode Fuzzy Hash: a270088d6c15230f6174adbed6f9f952e3f1d14c8b9f45c23445da1bcffed257
Instruction Fuzzy Hash: 1021C4B5D01229AFCB00DF9AD984ACEFBB4FB48324F10812AE518A7340D374A554CFA5

Function 06D23F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9274fe627158ff17fd2edfc814d4443f08c9128622c490ee8a4417eaa9221a
Instruction ID: 02c150476256ea917955da4dd2b43fb1d71f1243fcc38b2e0fc9f346686eb876
Opcode Fuzzy Hash: aa9274fe627158ff17fd2edfc814d4443f08c9128622c490ee8a4417eaa9221a
Instruction Fuzzy Hash: FC018432B100264BDF549669EC187AF73BBDBC4610F054536D506E7348FE64DC0247D1

Function 06D23C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b051fc8355c9da2531f542d410cdf431a2cabee3a55fa4a9923996d5b6bf6ba9
Instruction ID: 9a14ac943d885b63bce33a19c4af3cbb482fc51c46cc1a9c3f772addafbbc673
Opcode Fuzzy Hash: b051fc8355c9da2531f542d410cdf431a2cabee3a55fa4a9923996d5b6bf6ba9
Instruction Fuzzy Hash: BB11B3B5D01269AFCB00DF9AD984ADEFBB4FB48324F10812AE518A7340D374A554CFA5

Function 06D2A27A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f600228ee28eccd5b1967e3a9c5750e66a64ef69af701cb619303bab10b103
Instruction ID: 1f9ceaaf69c1897638c40b71744b674f288c0b051c2a47bf171e70aed771565d
Opcode Fuzzy Hash: 82f600228ee28eccd5b1967e3a9c5750e66a64ef69af701cb619303bab10b103
Instruction Fuzzy Hash: 0701A271B101224FDB60EABDD85572BB3D5EB85B14F54C839E50AC7340EE2AEC028380

Function 06D241C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf411083a79a8f265b59c302130bb5d844160aee4ebf0c316dec4c02e3c4e1e
Instruction ID: 604c9691d20f23b245d3203860e8e73c19286a4a3cfd9da2928aca196c687153
Opcode Fuzzy Hash: acf411083a79a8f265b59c302130bb5d844160aee4ebf0c316dec4c02e3c4e1e
Instruction Fuzzy Hash: A601D631B100210BDB659ABED55072BB6DAEBD9714F10C83AE90AC7344ED26DC424391

Function 06D2F123 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66d034c08f316b15a298d542e5186f0bc7815afbe6bb58c42efd86a6a25410b
Instruction ID: 2043e57194e506085c7f04b04d6cd72d0fa148561d97d174e50f947ecb80d825
Opcode Fuzzy Hash: f66d034c08f316b15a298d542e5186f0bc7815afbe6bb58c42efd86a6a25410b
Instruction Fuzzy Hash: 710181B2B100224BDB669B7CD95572E63E6EBC9624F508C3AE10EC7354EE66DC434391

Function 06D2F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c45fb2198ef68cc94a649b1fe353d9a398c6bb2d0b7e5dbe5c92c0eb9d1223a
Instruction ID: a2542460746e6da2cb9c30d9d149165febe3fd3ca5b4f7d1b8088b027619342c
Opcode Fuzzy Hash: 1c45fb2198ef68cc94a649b1fe353d9a398c6bb2d0b7e5dbe5c92c0eb9d1223a
Instruction Fuzzy Hash: 8801A471B100220BDB669B7CD85472E77E6E7C9664F508C3AE10EC7354EE66DC434391

Function 06D2A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f19599a7c1e272e866a4143fa9398e9cf500c317609465a0ed7ca8e00c49bb8
Instruction ID: 99b1810563a73cdcd3c4ec345d936ad9acd6af55b15c855735bf710f98db0deb
Opcode Fuzzy Hash: 5f19599a7c1e272e866a4143fa9398e9cf500c317609465a0ed7ca8e00c49bb8
Instruction Fuzzy Hash: 58018170B100264FDB65DBBDE45472AB3D6EB89B24F548839E50AC7350EE26EC428780

Function 06D2F11B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0862f9fe34b19cede2151b4743e846acdf3d37bc45b96fb3091c1403d8554b93
Instruction ID: fbdd4a41ec9c5619ddd1f2853c232479bdd15c657333dffa582d23d3a06aaecc
Opcode Fuzzy Hash: 0862f9fe34b19cede2151b4743e846acdf3d37bc45b96fb3091c1403d8554b93
Instruction Fuzzy Hash: 38F06271B041210FDB57873CD86472A67E6DBC9654F508876E10EC7355DE26DC438391

Function 06D2C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d177c8c5ee42f8afcebbe0a8c792c901b55288c5e82eee8232fdaea3263387
Instruction ID: 50f9a124b129c514603e51781c2c706f5e2e3977ae1f7d2bf41884449f51b754
Opcode Fuzzy Hash: 64d177c8c5ee42f8afcebbe0a8c792c901b55288c5e82eee8232fdaea3263387
Instruction Fuzzy Hash: CEF0A732F30235ABDB549665E804A9EB73AE784754F104429ED01A7340DB33AC1187D0

Function 06D263E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6fc4f4c12c911a1499ed75b582e7804bc40790c5bba3acba058911ee09b403
Instruction ID: 18e00847a37a3d38c764658de8874984140eb97b39f0be1b51a7483155150ce6
Opcode Fuzzy Hash: bc6fc4f4c12c911a1499ed75b582e7804bc40790c5bba3acba058911ee09b403
Instruction Fuzzy Hash: A1E0DF71A2436AABDB50CA78C94A79A77A8D712218F64C4B5D844CB201E536DA078341

Function 06D263F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: 3fa72c7e2a0c7421d85e372afc7c6066e124f6167edfecfd6418120f67249e37
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: 05E0C2B0E1426AABDF50CFB4C9457AF73ACE74520CF2084B4D409C7201E236CA028740

Non-executed Functions

Function 06D27618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D27789
$kq, xrefs: 06D2777D
$kq, xrefs: 06D27BB4
$kq, xrefs: 06D27BA8
$kq, xrefs: 06D27758
$kq, xrefs: 06D27B15
$kq, xrefs: 06D2774C
$kq, xrefs: 06D27BBE
$kq, xrefs: 06D27B09
$kq, xrefs: 06D27BCA

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: a9a81b0ac6b4bf7e9132878e2ca85c0eefb80d42bf11fc56d3dffde1012d70a3
Instruction ID: 8137f8a9dbe2cd7a7265b17ad03d0042cf7575fbe65cc81fe019ce4bdcf7a38a
Opcode Fuzzy Hash: a9a81b0ac6b4bf7e9132878e2ca85c0eefb80d42bf11fc56d3dffde1012d70a3
Instruction Fuzzy Hash: C9123C30E0122A8FDB64DF79C954A9EB7B2FF98304F208569D409AB364DB349D85CF90

Function 06D2A8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D2AA30
$kq, xrefs: 06D2AA5A
$kq, xrefs: 06D2AA05
$kq, xrefs: 06D2A9F9
$kq, xrefs: 06D2AA66
$kq, xrefs: 06D2A9AA
$kq, xrefs: 06D2A99E
$kq, xrefs: 06D2AA24

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 78f179bc5cdd318deb007b575dcb5898bc07f2d7001cd74badadd9ff44443bdb
Instruction ID: 4d826fd3d7931c815979e5adbc8e9005147a9456a2dd399e7346f943ebd85f24
Opcode Fuzzy Hash: 78f179bc5cdd318deb007b575dcb5898bc07f2d7001cd74badadd9ff44443bdb
Instruction Fuzzy Hash: 7B91B230A1021ADFDB64DF69D644B6EB7B2FF94308F688529E40297394CB79DC45CB90

Function 06D27018 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D27520
$kq, xrefs: 06D274B4
$kq, xrefs: 06D2752C
$kq, xrefs: 06D27354
$kq, xrefs: 06D27360
$kq, xrefs: 06D272FA

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 66436f3fe24ea6c8c4a1c48b5280fe72ba477c31d90ebf8b397e2c14a552f6cb
Instruction ID: 62dbf8848a17ab447b4154d5730e60896b54655bde3eade1e369799c5a8cb953
Opcode Fuzzy Hash: 66436f3fe24ea6c8c4a1c48b5280fe72ba477c31d90ebf8b397e2c14a552f6cb
Instruction Fuzzy Hash: BBF15230B0021ACFDB65EF68D554A6EB7B2FF94304F648569D4059B3A8DB35EC82CB90

Function 06D2AC30 Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

_, xrefs: 06D2AC17
$kq, xrefs: 06D2AD61
$kq, xrefs: 06D2ADB4
$kq, xrefs: 06D2ADE3
$kq, xrefs: 06D2AE0C

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: _$$kq$$kq$$kq$$kq
API String ID: 0-641801418
Opcode ID: 51d599896ff79cc59f9b7eacfe154460e9a1816b1040f21f22dee4e367c93d5c
Instruction ID: 6f1c0d1acea1730263a01ef1dc6d3616c616638c497fdbc69b9c8fcccafaaf94
Opcode Fuzzy Hash: 51d599896ff79cc59f9b7eacfe154460e9a1816b1040f21f22dee4e367c93d5c
Instruction Fuzzy Hash: 8F518234F102168FDF69DB68E5806ADB3B2FB94715F288929D806D7354DB35DC42CB90

Function 06D28350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06D285AA
$kq, xrefs: 06D285B6
$kq, xrefs: 06D2861B
$kq, xrefs: 06D2860F

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: d8ed96a2328b9e524c20adea0fd983594c9a8bd8955d552081319a216a90adde
Instruction ID: 689de1f1dc730940d85372450e495ae4ea72ed23f3809b12a14cc15b1520118b
Opcode Fuzzy Hash: d8ed96a2328b9e524c20adea0fd983594c9a8bd8955d552081319a216a90adde
Instruction Fuzzy Hash: DAB13A30F1021A8FDB64EBA8D5946AEB7B2FF94304F248429D406DB395DB35DC86DB90

Function 06D28768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06D2885B
$kq, xrefs: 06D287E7
$kq, xrefs: 06D287F3
LRkq, xrefs: 06D288AA

Memory Dump Source

Source File: 00000003.00000002.1978087482.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d20000_adobe.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: f339258fd27609365d4d8b35ce4b6be329a9379064ec9a0c9a1bbf5aea314c19
Instruction ID: 65449c52de7942812f004f4f4b5d2da98cbbfc33cd2015b962741d4c488661c0
Opcode Fuzzy Hash: f339258fd27609365d4d8b35ce4b6be329a9379064ec9a0c9a1bbf5aea314c19
Instruction Fuzzy Hash: 9D51E430B002129FDB58DB68E954A6AB7F2FF98304F148569E4069F3A5DF34EC44CBA0

Analysis Process: adobe.exePID: 6204, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	38.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	103
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02410000 Relevance: 13.9, APIs: 9, Instructions: 352
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02410054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 02410167

NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 02410192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 024101C9
WriteProcessMemory.KERNELBASE ref: 02410217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 024102FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 02410355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 024103A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 024103EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0241040C

Memory Dump Source

Source File: 00000007.00000002.1970916978.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2410000_adobe.jbxd

Similarity

API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
String ID:
API String ID: 2814188497-0
Opcode ID: ea99b0024c625f74fea6b8fa68515aaaf4f6426c1bd6aa4e5dfeea17c57a5219
Instruction ID: c6c24ce2a74ab8ba60ed8be27b54c71fffa2fc4ac1997251194cd2bf7603f72e
Opcode Fuzzy Hash: ea99b0024c625f74fea6b8fa68515aaaf4f6426c1bd6aa4e5dfeea17c57a5219
Instruction Fuzzy Hash: AAB11178690354BFE61577F29C87F1937269F46708F14906EFA005F1D2CAB26C918B62

Function 02410054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02410420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,02410083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0241043F

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 02410167
NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 02410192
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 024101C9
WriteProcessMemory.KERNELBASE ref: 02410217
WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 024102FD
Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 02410355
WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 024103A1
Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 024103EC
ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 0241040C

Memory Dump Source

Source File: 00000007.00000002.1970916978.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2410000_adobe.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
String ID:
API String ID: 4009322845-0
Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction ID: adbced573db0980d45a1063f7fa313dba75812dbc3b1cda19246d09cdf2ee6a8
Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
Instruction Fuzzy Hash: 93A1EE78690214BFE51477F2DC87F2936179F85B0CF20906EFA006F1D1CAB2BDA18A61

Function 008D04C0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 008D0B3B

Memory Dump Source

Source File: 00000007.00000002.1970354771.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8d0000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d9e55d912e41d657d9494b3bd9bb4262008c103a628cbad506dcfc7a47632fbb
Instruction ID: c74fdaaa74b15696bbbfbb8a1013ac58feb3024a0b1f0d2b092d1806627b44a0
Opcode Fuzzy Hash: d9e55d912e41d657d9494b3bd9bb4262008c103a628cbad506dcfc7a47632fbb
Instruction Fuzzy Hash: C61104B5904648DFCB10DF9AD844BDEBBF4FB48324F20842AE559A7250D375A944CFA4

Function 008D0AC9 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcA.USER32(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 008D0B3B

Memory Dump Source

Source File: 00000007.00000002.1970354771.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8d0000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5bf73fc19d19cb431b8871fbc6266b60cba35fe761c04e9feff9e98ae6b56018
Instruction ID: 6d322ca59d1ffdd47854fae3e74954f8f0e28463e07350b8f3892863fedaf494
Opcode Fuzzy Hash: 5bf73fc19d19cb431b8871fbc6266b60cba35fe761c04e9feff9e98ae6b56018
Instruction Fuzzy Hash: AD1104B5904248DFCB20CF99D885BDEBFF4FB48324F20845AE559A7251C375A544CFA4

Function 008D021F Relevance: 1.5, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1970354771.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a946d67d9023fe148a752e3291ae9302f99ee820fa1037c8bb72251a1767abbe
Instruction ID: 71f912301c8452d4ed72035d71138a4ab7add0bb272344e093f8587a06db81ff
Opcode Fuzzy Hash: a946d67d9023fe148a752e3291ae9302f99ee820fa1037c8bb72251a1767abbe
Instruction Fuzzy Hash: 8451327180D388CFCB529FA898597EABFB0FB16320F14029BD580DB356D2358849CB95

Function 008D0978 Relevance: 1.4, APIs: 1, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,008D090A,00000040,00001000), ref: 008D0A90

Memory Dump Source

Source File: 00000007.00000002.1970354771.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8d0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a79000f5427649ab0d60a5c62130d5ac14bf962ce1ca29bf58d3683dfe3dab7c
Instruction ID: b760b76b609605b53af89a5f3c700676310942d1c0ac90fc02076d3f5d317fa7
Opcode Fuzzy Hash: a79000f5427649ab0d60a5c62130d5ac14bf962ce1ca29bf58d3683dfe3dab7c
Instruction Fuzzy Hash: DD416775A006048FC710DF69D584A9ABFF1FF89320F2584A9E549DB361CB34EC05CBA0

Function 008D04B4 Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,?,?,?,?,008D090A,00000040,00001000), ref: 008D0A90

Memory Dump Source

Source File: 00000007.00000002.1970354771.00000000008D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8d0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0071a06b608f629c487502fbd9114ce7b8f8f6e9b0183c33b63a6d7f0f248221
Instruction ID: 9702ef6a78971512eab902de6c014b07b131b6dd97f0e66be50275e1f8a1c51e
Opcode Fuzzy Hash: 0071a06b608f629c487502fbd9114ce7b8f8f6e9b0183c33b63a6d7f0f248221
Instruction Fuzzy Hash: 051102B59007589FCB20DF9AD444BDEBBF4FB48320F20842AE558A7250D375A944CFA4

Function 02410420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,02410083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 0241043F

Memory Dump Source

Source File: 00000007.00000002.1970916978.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2410000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction ID: 406a345cf16525adb59c6a58a9568889b8f27596614e416540224e31ac903ad4
Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
Instruction Fuzzy Hash: 52D022781843007AF2017BB34C03F083682AF40B09F40181DFB04380E0C6BAA8980A56

Analysis Process: adobe.exePID: 6672, Parent PID: 6204COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	44
Total number of Limit Nodes:	7

Executed Functions

Function 067D2750 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON

Download Yara Rule

Strings

$kq, xrefs: 067D3B4C
$kq, xrefs: 067D3B64
$kq, xrefs: 067D3B40
$kq, xrefs: 067D3B70
$kq, xrefs: 067D3B23
$kq, xrefs: 067D3B17

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 23865cdf1bde7adf3a233bd13ac0b3bc86a6a77366272fcbb7982e7b1eefc7df
Instruction ID: 4f23fc45014a2bc60684bde9a74aeee5573203ff36234f763caf5ced6578de4b
Opcode Fuzzy Hash: 23865cdf1bde7adf3a233bd13ac0b3bc86a6a77366272fcbb7982e7b1eefc7df
Instruction Fuzzy Hash: B3D26B30E006058FDB64DF64C584AADB7F2FF89310F648969D459AB365EB34ED86CB80

Function 067DB1A8 Relevance: 8.3, Strings: 6, Instructions: 771COMMON

Download Yara Rule

Strings

$kq, xrefs: 067DBB1F
$kq, xrefs: 067DBB53
$kq, xrefs: 067DBAEB
$kq, xrefs: 067DBB2B
$kq, xrefs: 067DBAF7
$kq, xrefs: 067DBB5F

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: b00d15eafa03c6ffd021b0c5fb749388fd657998d69cc962e70577eadb99d829
Instruction ID: 318646e4103a739c0c35b9af95ee8bfb84a6555952b955959160348ab77a8aea
Opcode Fuzzy Hash: b00d15eafa03c6ffd021b0c5fb749388fd657998d69cc962e70577eadb99d829
Instruction Fuzzy Hash: E35280B0E002098FDF64DB68D5807BEB7B6EB85710F258C26E405EB395DA35EC85CB91

Function 067D7CF8 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 067D8035
$kq, xrefs: 067D8041

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 41f0b5d72d7c6a6c91322288928335b77cd60b1cac7f25140f8c83acd1f89292
Instruction ID: dcb435838c0663ca66e50186fdaf1330ba264ddb9f5b489132d3f2c7398cfdfc
Opcode Fuzzy Hash: 41f0b5d72d7c6a6c91322288928335b77cd60b1cac7f25140f8c83acd1f89292
Instruction Fuzzy Hash: DB02D330B006058FDB68DB65DA50A6EB7F2FF84314F248929E405DB399DB35EC86CB91

Function 067D6560 Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d741a9ddd7091e9f1020a43cb55b6c46e6dd210b41bd33e1777a4603a01bae1
Instruction ID: c46af87a51068750dee78c61ed72a8c9cf3513060ed1ecf7866a3c26176dff0d
Opcode Fuzzy Hash: 9d741a9ddd7091e9f1020a43cb55b6c46e6dd210b41bd33e1777a4603a01bae1
Instruction Fuzzy Hash: C9629034B006049FDB54DB68D684BADBBF2EF84314F248869E506EB395DB35ED46CB80

Function 067DC0F8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b237da3e29be180b504db37f39c9f4a368591092ca1617df878db4e6711e04ef
Instruction ID: d1c3ff56dd8e5f282fb531e10d3a48a88215a97f4b2eb1f8d4678af8305c1b53
Opcode Fuzzy Hash: b237da3e29be180b504db37f39c9f4a368591092ca1617df878db4e6711e04ef
Instruction Fuzzy Hash: 3C329134B102098FDF55DB68DA80BAEB7B6FB88314F248925E505E7359DB35EC42CB90

Function 067D5550 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a727e43c094c66dacf035eca09ac9b98134dddba2f01cf2512cbc3561fb298
Instruction ID: 42a22b2b35f261bb2a3fa365bed405df2c332aed40823f0394b9af56036e9abd
Opcode Fuzzy Hash: a5a727e43c094c66dacf035eca09ac9b98134dddba2f01cf2512cbc3561fb298
Instruction Fuzzy Hash: 1012D331F102059FEF60DB64D98067EBBB2EF85310F24886AE856DB395DA34EC41CB90

Function 067DAC40 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 067DADB4
$kq, xrefs: 067DADE3
$kq, xrefs: 067DADC0
$kq, xrefs: 067DADEF
$kq, xrefs: 067DAD6D
$kq, xrefs: 067DAE0C
$kq, xrefs: 067DAE18
$kq, xrefs: 067DAD61

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 1111f8e00cd1dcb6abb949244bb626110cc434ade40fc3d908e3c08b42351e80
Instruction ID: 12d861145b60017987ce439e9827c179a9c7dcc5c56ad1afe3675bf4fd963782
Opcode Fuzzy Hash: 1111f8e00cd1dcb6abb949244bb626110cc434ade40fc3d908e3c08b42351e80
Instruction Fuzzy Hash: 55E18E30E1020A8FDF65DB69D5806AEB7B3FF84304F248929D405AB358DB35EC86CB90

Function 067D90C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 067D9156
$kq, xrefs: 067D911B
$kq, xrefs: 067D914A
$kq, xrefs: 067D910F

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: d0c5cb14368c226b4892d7c712d50201183a9ce045cafe1a3dff3b918d2f8f14
Instruction ID: 425126fc16904ad2b1599e5b8651d48880b3d823b68e2d51cd9f35c1faaba0d7
Opcode Fuzzy Hash: d0c5cb14368c226b4892d7c712d50201183a9ce045cafe1a3dff3b918d2f8f14
Instruction Fuzzy Hash: E0916E30F0060A8FDB64DF65DA517AEB7F6BF84244F108869C509EB798EB71EC418B91

Function 067DCEC8 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 067DD2C7
$kq, xrefs: 067DD2D3
$kq, xrefs: 067DD2BF

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: a4ef5e851332812e4491fd50a833aa456b8fea5d02fd2eba6cf1fbe14640e563
Instruction ID: 012c78b921718d86a85568bf6f2fd2892c33cb98377f88bfdfd21214b1f4346e
Opcode Fuzzy Hash: a4ef5e851332812e4491fd50a833aa456b8fea5d02fd2eba6cf1fbe14640e563
Instruction Fuzzy Hash: 6E626334A00206CFCB65EF68D680A5EB7B2FF84304F248969D4059F769DB75ED86CB84

Function 067D4B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPpq, xrefs: 067D4C45
\Opq, xrefs: 067D4CCF
fpq, xrefs: 067D5225

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: f8041385421ba5f1dbf87ff5e06b40f6ee0773d2c0684faa4519d353db9c9d36
Instruction ID: f6590688fa4639f946af1b2bdd566a61e0e9df0898c6ac4fb7314ffea4983b24
Opcode Fuzzy Hash: f8041385421ba5f1dbf87ff5e06b40f6ee0773d2c0684faa4519d353db9c9d36
Instruction Fuzzy Hash: E5619170F002089FEB549BA4C8157AEBAF6EF88300F20842AE506EB395DE749C459B95

Function 067D90BB Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 067D914A
$kq, xrefs: 067D910F

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: ac5501a273efa44c2b32427b6f331ef78427bed1a9c8ea436c8db3248afced79
Instruction ID: b419472e6205affc144a9ab969b3c998c0675e01053c5054c35f0b84378c4be7
Opcode Fuzzy Hash: ac5501a273efa44c2b32427b6f331ef78427bed1a9c8ea436c8db3248afced79
Instruction Fuzzy Hash: D7515030F005098FDB54DF75DA91BAE77F6EB84644F108869C909DB798EA71EC02CB91

Function 0108ED33 Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4197902069.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee0b45372a9c60383390f63dcd52e63c65ae162c37ba0efe34bae31baf81fdf
Instruction ID: 18d6f5924ad1df78eb2f5b39b29673e3dfb1caee05d9abf6e1c734e0d1331f23
Opcode Fuzzy Hash: 1ee0b45372a9c60383390f63dcd52e63c65ae162c37ba0efe34bae31baf81fdf
Instruction Fuzzy Hash: 99413571D083958FC705EF69C8042AEBFF1AF8A310F1485AAD584EB291DB349845CBA1

Function 0108EE18 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0108EE7F

Memory Dump Source

Source File: 00000008.00000002.4197902069.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1080000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 03f021b3f8edfe15d0bb2ca6de0dbbb5fdf0c92b0c88f65fae9f4abe5aa37242
Instruction ID: 97388db8a2eff5c206ce1046cc5319f5accedb780f84b5e6b92bb296315dc815
Opcode Fuzzy Hash: 03f021b3f8edfe15d0bb2ca6de0dbbb5fdf0c92b0c88f65fae9f4abe5aa37242
Instruction Fuzzy Hash: 691120B1C006699BDB10DF9AC444BDEFBF4AF48320F14816AD858B7241D378A944CFE5

Function 067D4B09 Relevance: 1.4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPpq, xrefs: 067D4C45

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 313ae49d3cc36d9dd540427b15a28e2d393a6d2f542fa45599278156536670ab
Instruction ID: 8ebab9e2b83dda4f733b388b1ed2dc6f0875fd396db4b3059c35ed8bfed1e515
Opcode Fuzzy Hash: 313ae49d3cc36d9dd540427b15a28e2d393a6d2f542fa45599278156536670ab
Instruction Fuzzy Hash: D2519170F102089FDB54DFA4C914BAEBBF6AF88300F20852AE505AB3A9DE749C05DB54

Function 067DDA50 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 067DDB99

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 5a7856409005aed9a0b1b6678c69bce7a0c89f0582722d8ffe5f9064ade57696
Instruction ID: c8bb3281181101241496be6760443f869ee1bc2c28192f234ab1f9a9cdeed679
Opcode Fuzzy Hash: 5a7856409005aed9a0b1b6678c69bce7a0c89f0582722d8ffe5f9064ade57696
Instruction Fuzzy Hash: CC416070E00209DFDB64DF65C5846AEBBB6BF85344F208929E405E7250EF74E946CB81

Function 067D21B5 Relevance: 1.4, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 067D2303

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 36cbe8c56bb1470b12b21d92bd7f2fed6beab850eb4f1977a9582a10419b0716
Instruction ID: 747446046589f54837dadd4b21095631844b57b6ad0de3d0975a95c7fb3ab06c
Opcode Fuzzy Hash: 36cbe8c56bb1470b12b21d92bd7f2fed6beab850eb4f1977a9582a10419b0716
Instruction Fuzzy Hash: 76312630B002018FDB55AB34CA5427F7BB7AF89204F248869E502DB396EF35DD42C791

Function 067DDA3D Relevance: 1.4, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHkq, xrefs: 067DDB99

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: b510f8fec2d4983f6dc5f29969d76e03ffea1a2eca654f00bd90d625e476e4eb
Instruction ID: 0f0c20bd28f4f6d89d4457673a5b473c590c1e009150a5a5cc20861ec066d292
Opcode Fuzzy Hash: b510f8fec2d4983f6dc5f29969d76e03ffea1a2eca654f00bd90d625e476e4eb
Instruction Fuzzy Hash: B8418030E00209DFDB65DF64C5846AEBBB6FF85304F148929E406E7291DB74E946CB41

Function 067D21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 067D2303

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: cb01d130e7bf9c06610bfa300d2415f5fe30133df32dd1bbfe27b30c4f1df5bb
Instruction ID: 72037cb345107dcb6f4d36ee8242dc0a395d6f785d017919f5904a46512cc520
Opcode Fuzzy Hash: cb01d130e7bf9c06610bfa300d2415f5fe30133df32dd1bbfe27b30c4f1df5bb
Instruction Fuzzy Hash: DB31F230B002058FCB55AB74CA5467E7BF7AF89204F248829E506DB396EF35DD42CB91

Function 067DFEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 067DFF48

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: a2e1938d33b5f9728fa7b8ae7a84ad107573a289650e4abdf5fe75c498fca1fd
Instruction ID: 6c413967566763699aaa6a69ed163fb01d0a90d1cf57b7651b103d32ea840f6a
Opcode Fuzzy Hash: a2e1938d33b5f9728fa7b8ae7a84ad107573a289650e4abdf5fe75c498fca1fd
Instruction Fuzzy Hash: FA115E74B102149FDB44AF78C904B6E7BF5AF4C710F108469E50AD73A4DB35A900CB84

Function 067DFEE9 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

|, xrefs: 067DFF48

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f9c3e0e9db6b482cf0b30d610630f779ee807d581f204c3d81f93770291aaae6
Instruction ID: feb6194b743e666d49e8d37cf1bf14ebf6f28c50c6090a31933e7d8476e567f2
Opcode Fuzzy Hash: f9c3e0e9db6b482cf0b30d610630f779ee807d581f204c3d81f93770291aaae6
Instruction Fuzzy Hash: DE116075F102109FDB549B78C905B5E77F6AF8C750F108469E91ADB3A4DB39AC00CB84

Function 067DB198 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785b1c5bb763bd5ee5d9dc44fab86033d3cb059dae49531466698aa615254e28
Instruction ID: d77df68234da249c2c987e0402d66e080916a1035e9629ea92c33103362037c7
Opcode Fuzzy Hash: 785b1c5bb763bd5ee5d9dc44fab86033d3cb059dae49531466698aa615254e28
Instruction Fuzzy Hash: EAB1C570F001098FEF64DBA8D9947BEBBB6EB89710F254C25E405E7395CA35EC818B91

Function 067DFB27 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7d0f6771369098d1e842918a18c90463541d1474bd8c388d1e8b4cdd0a135f
Instruction ID: f280d6af967176cb9b1498561ff5cba71b39e38dcbb40885cee9cb827fbef0e6
Opcode Fuzzy Hash: 0f7d0f6771369098d1e842918a18c90463541d1474bd8c388d1e8b4cdd0a135f
Instruction Fuzzy Hash: 8C81BE31E00105CFDF54ABB8E9547BE77B6EB85314F208C2AE50AD7394DB398845CB81

Function 067D6158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a32a4522260f2f93df0aa37e6a53d8002307d9a3cea4fdbf6d25ccab89777d
Instruction ID: 7335e5d6af441a4d5ae8c58431273e7f8bb1a48c33ecf20c7806c0c023cb4049
Opcode Fuzzy Hash: 29a32a4522260f2f93df0aa37e6a53d8002307d9a3cea4fdbf6d25ccab89777d
Instruction Fuzzy Hash: A461E2B2F001214FCF549A7DC84066EBAEBAFD4610F154439E80ADB379DE65ED0287C1

Function 067D4251 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457ff119ac60900149d79a2ca4dbbc459bc9ef1fbc4f431fafd3740982ced889
Instruction ID: 8928ab84413d9f391eae3643be989592b45a1b25fcefea29d2416e7bf3535b1a
Opcode Fuzzy Hash: 457ff119ac60900149d79a2ca4dbbc459bc9ef1fbc4f431fafd3740982ced889
Instruction Fuzzy Hash: 4E814030B106098FDF54DFA8D6547AEB7F6AF85304F108929D40AEB358EB34EC428B91

Function 067D456C Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d05c8a2194a45268a6d80923b3ac5151e590da3bf17cc633c338113b980eaa9
Instruction ID: 0854fa2c63eb9f7a2dded18633de0b447d790a26a4260a0e62a0fa21f6b58372
Opcode Fuzzy Hash: 9d05c8a2194a45268a6d80923b3ac5151e590da3bf17cc633c338113b980eaa9
Instruction Fuzzy Hash: 91914C34E102198FDF60DF64C890B9DB7B1FF89310F208999D549AB295DB70AE85CF91

Function 067D4260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3809ef05a2df4b5be9ccc519c0ea3862eb5dfaa15b03d673686fdc9e96a5fa7
Instruction ID: 63841ba70262a73aa9c88a650c867dfcb826ae9c2a7c2b51881dfc9b0f0fc42f
Opcode Fuzzy Hash: e3809ef05a2df4b5be9ccc519c0ea3862eb5dfaa15b03d673686fdc9e96a5fa7
Instruction Fuzzy Hash: 94811D30B106098FDF54DFA9D65466EB7F6AF85304F108829D40AEB399EF74EC428B91

Function 067D4580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3978625192c85a83286454749d8ea1a4744855f3d57b3f28beecaf784cf01619
Instruction ID: d25b27de318ce2b384912ffbaaea49f8ebd2be9428ebb73bcef4df13392de4ab
Opcode Fuzzy Hash: 3978625192c85a83286454749d8ea1a4744855f3d57b3f28beecaf784cf01619
Instruction Fuzzy Hash: 64912C34E106198BDF60DF68C890B9DB7B1FF89310F208999D549AB355DB70AA85CF90

Function 067DEE98 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c22c93de51f8bfd006b3438fca3041583a8e4ab06dcb1511a22570964a432d
Instruction ID: d32dd0a114782100bd1f1dae46fee893487cce9b201a5116e8e8afc5f45202e3
Opcode Fuzzy Hash: d7c22c93de51f8bfd006b3438fca3041583a8e4ab06dcb1511a22570964a432d
Instruction Fuzzy Hash: 30712B70E002099FDB55DBA8D984AAEB7F6FF84304F248929E106EB355DB34ED46CB50

Function 067DEEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c732f16c4c1aff4fddf8d863d7b6b0ec3b19e5d553de522e0dfa1de0e0fd09e
Instruction ID: 2d3e1147a11f17f199703591557b889bf37400dd1a59765bb786d5364774a62e
Opcode Fuzzy Hash: 0c732f16c4c1aff4fddf8d863d7b6b0ec3b19e5d553de522e0dfa1de0e0fd09e
Instruction Fuzzy Hash: 28713B70A001099FDB54DFA9D980AAEBBF6FF84304F248829E106EB355DB34ED46CB50

Function 067DF8D9 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184de9f8fa3adeaf49d79a380152f4ee016b77c5a862ead5047fb400ce9bf026
Instruction ID: 57e3ba0a61982a8f7bdd112ac16a8000d5683bd99f3a6e0c2ba4ae788fe17aef
Opcode Fuzzy Hash: 184de9f8fa3adeaf49d79a380152f4ee016b77c5a862ead5047fb400ce9bf026
Instruction Fuzzy Hash: 2751C634B102149FEF60666CDA5477F3A6AE7C9710F20482AE40BD77E9CA2DCC4543A2

Function 067DF8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b90697a9104c936bd7b2b3fbb0a62d87d7264c42792b4896449aee9eaedb79
Instruction ID: df3834f731051951db2cda37bede3d7f0c365ec530e8835a6920474633cdafc6
Opcode Fuzzy Hash: c5b90697a9104c936bd7b2b3fbb0a62d87d7264c42792b4896449aee9eaedb79
Instruction Fuzzy Hash: F4518434B102149FEF64666CDA5473F366AE789750F20482AE40BD77E9CA2DCC8547A2

Function 067D53D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f5af850c05b7e6523cfb30a03ee692503da5b93abdb4efb3a32df8d5b274a5
Instruction ID: aef621a1c3d81a96ff53177203325fe9408d6daaa5187ae96c55c14b5f2c6679
Opcode Fuzzy Hash: f3f5af850c05b7e6523cfb30a03ee692503da5b93abdb4efb3a32df8d5b274a5
Instruction Fuzzy Hash: 85412B71E006099BEF70CEA9D880ABFFBB6FB84310F104D2AE256D7650D731E9558B91

Function 067D2078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec85eb31a6bd22d312cb39eeca2622575ab13b1670a770b41526afd2c299be39
Instruction ID: a87fe2b07b7a0e71a27c056d6fb299554d7e357fc1f23b25454a1afcd06329e5
Opcode Fuzzy Hash: ec85eb31a6bd22d312cb39eeca2622575ab13b1670a770b41526afd2c299be39
Instruction Fuzzy Hash: 96317A70E102058BDB19CF64C9946AEBBF2EF89300F10C929E916EB351DF72E946CB50

Function 067D2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032dfcfd53701c8ffc4e77d9a847367c995546ef590a3e868b706fc49ca1ca64
Instruction ID: bd1224b01eeb67b86b296d2c24b654c0cf5f35a457e764c301a7d062873073eb
Opcode Fuzzy Hash: 032dfcfd53701c8ffc4e77d9a847367c995546ef590a3e868b706fc49ca1ca64
Instruction Fuzzy Hash: A6318B30E102059BCB19CF64C9946AEB7B6FF89300F10C929E916EB351DB72ED42CB50

Function 067DF1B0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89c223cc36e2aeee07609d6fd1fd8e638e5f0a3551d8e5d815096017a4b87eb
Instruction ID: b4c46c8ba0487b3816d069930614655131c3be5cefd7bc947d5d91af3f0b6ff1
Opcode Fuzzy Hash: f89c223cc36e2aeee07609d6fd1fd8e638e5f0a3551d8e5d815096017a4b87eb
Instruction Fuzzy Hash: 6221CF76B001004FDB648AB8D9503BEB7F6EB84624F20882AD40BD7355EA29EC4287C5

Function 067D3E58 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b3d4774ad6cd7549fa4f756ada0ff1d95718a1666b7ae1757288bc1f6bcb33
Instruction ID: 867f092cc0272d8f8c13fd0e457a8f2d96c11384e3282d734755060197690c60
Opcode Fuzzy Hash: c1b3d4774ad6cd7549fa4f756ada0ff1d95718a1666b7ae1757288bc1f6bcb33
Instruction Fuzzy Hash: 44218E75F006159FDB40DF69D941AAEBBF1EB88320F108829E945EB794E730DD418F91

Function 067D3E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc29fee42ddba75a69a68e65b6c8ccd826eec92f8b45873d204459b929566895
Instruction ID: 23cc420d82b7615cb8fa83500cfed7ba85549895aa02f443ebf7a6eb6fcb5393
Opcode Fuzzy Hash: cc29fee42ddba75a69a68e65b6c8ccd826eec92f8b45873d204459b929566895
Instruction Fuzzy Hash: 5C217A75F016199FDB40DF69DA81AAEBBF1FB48220F10842AE945EB794E730DD408B91

Function 067D3E66 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0846028db37f30ef1e9a05b0191a093a2dc1ffbf9eec7e0894d2f00ab16ad08
Instruction ID: b0329ffb0b116b22b9dbd1487645130bbd8dd0b2eb4671ea8d677984df93bf12
Opcode Fuzzy Hash: b0846028db37f30ef1e9a05b0191a093a2dc1ffbf9eec7e0894d2f00ab16ad08
Instruction Fuzzy Hash: 41219D75F016159FDB40DF69D981AAEBBF1EB48310F10842AE905EB794E730DD418B90

Function 00FED005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4197075899.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f681a898827d4a218120b4fc2effc6ead438746001046fb89d09a7970a9f382
Instruction ID: 1221881888123d75fb3316dcf70aaf1f7eb592de46d64a80c6d6baec82c782e4
Opcode Fuzzy Hash: 2f681a898827d4a218120b4fc2effc6ead438746001046fb89d09a7970a9f382
Instruction Fuzzy Hash: C021607150D3C09FC703CB24D994711BF71AB46214F29C5EBD9898F6A7C33A980ADB62

Function 00FED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4197075899.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_fed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9b76e6137e353442398c082860af6216ecaf6e5881300b69f754805ccc2db2
Instruction ID: 70fe583621e5f0167dfae59d3f789cf439c351c7282fa9221a84fd996f3b6fbb
Opcode Fuzzy Hash: 9d9b76e6137e353442398c082860af6216ecaf6e5881300b69f754805ccc2db2
Instruction Fuzzy Hash: 39213471504284DFCB10DF15D9C0B26BBA5FB84324F28C56DDA0A4B69AC33AD847DA62

Function 067D6C90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6f3424d26ef2bdbc97d43dd00b786208ae853f7911394f8551275efe666242
Instruction ID: 7714d432323dcb702f3e668d45691356e675411fb852e0072828b7b55752a261
Opcode Fuzzy Hash: 0e6f3424d26ef2bdbc97d43dd00b786208ae853f7911394f8551275efe666242
Instruction Fuzzy Hash: 8021B430F100189FDF54DB69E9546ADB7B7EF84314F24882AE505EB354EB31EC418B84

Function 067DF118 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f52df4fa65ac28ce458a4fe0a3ce84642dc856341dc27a3d7cf01dc306fa10
Instruction ID: 21bf09f2981059c3af764a74a608bda84fcf39c60eab9e2a5331eecc631e72cc
Opcode Fuzzy Hash: 80f52df4fa65ac28ce458a4fe0a3ce84642dc856341dc27a3d7cf01dc306fa10
Instruction Fuzzy Hash: 461125B1F142514FDBA1867CD85077E7BE6CBC6220F148D6AE44ACB351DA2ACC438385

Function 067D41B1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1266ac46c98c43dbf54bca2f4f0bc829f2e00ce7ab69849f5685310e837a667
Instruction ID: 63bac0d0b73d012f8a7e67e208c288d28f42aa6745599f74810fc0bdc6dd15b8
Opcode Fuzzy Hash: c1266ac46c98c43dbf54bca2f4f0bc829f2e00ce7ab69849f5685310e837a667
Instruction Fuzzy Hash: 66110835B002500FDB618ABDD950B7ABBE6DBC6620F148D6AE50AC7359D936DC024355

Function 067D3F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292b8eca25acc621d875bcd2eedfea0fa6abb3c994835d3eb698e954a3ddffe6
Instruction ID: a25cbc00837894b5e1d934364368d6772597b011f9ef70c474ffe80692f81ea8
Opcode Fuzzy Hash: 292b8eca25acc621d875bcd2eedfea0fa6abb3c994835d3eb698e954a3ddffe6
Instruction Fuzzy Hash: 6111A132B105288FCF549A68D8186BE77FAABC8650F108939D406E7358EE75DC018BD1

Function 067D3F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e59c8a3ab7b0656d8bd793f9af96458dd14752ccf5d2345ece0d59ca276d8aa
Instruction ID: 379e00730d67b73278003fa01a5c06da3c6b682680b5680bf34b3254a8571c26
Opcode Fuzzy Hash: 0e59c8a3ab7b0656d8bd793f9af96458dd14752ccf5d2345ece0d59ca276d8aa
Instruction Fuzzy Hash: AE019E32B105285FDF54DA68DC147FE77BBAB89310F04453AE80AE7648EA759C018BE2

Function 067DA27B Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8610b1c51f1f716bdb101017677ef200f84dc85a2f5cc7561fda53cb9023a4
Instruction ID: 78b17025455e9e73d5138fbf2edf1f699457a7e4328613e1d6a94831e99f782e
Opcode Fuzzy Hash: 8e8610b1c51f1f716bdb101017677ef200f84dc85a2f5cc7561fda53cb9023a4
Instruction Fuzzy Hash: DD012430B106054FDB91EA79D854B3B77E2EBCA718F108C3AE40AC7344EE22EC024380

Function 067D3C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36acb9dc40690a93b6db96fe4f5753065347603739b1b2a234d023da553d5fab
Instruction ID: f758c85cea8710f26f3814747b0f1b77bfd3d68aa3052ba680ccbb8a95726411
Opcode Fuzzy Hash: 36acb9dc40690a93b6db96fe4f5753065347603739b1b2a234d023da553d5fab
Instruction Fuzzy Hash: BB11D3B1D01219AFCB00DF9AD884ADEFFB4FB49324F10812AE918A7340C375A544CFA5

Function 067D41C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5eb5a2a0084c4e9206d87d740af84c26f72830a03e55531c8e763232d668f2c
Instruction ID: a8db951e9ad24834f74d277413134c45bf159829c20dc86db679e582ec4ee301
Opcode Fuzzy Hash: e5eb5a2a0084c4e9206d87d740af84c26f72830a03e55531c8e763232d668f2c
Instruction Fuzzy Hash: 37016235B100100BDB6499BDD954B2BB2EADBC9714F14C83AE50AC7348ED76EC024395

Function 067D3C30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f56f2f01148ac9f5c592a797ef67a385b5db6667136291ca28b0151f7877fc6
Instruction ID: 12b50086aea9deea8e44ffc3384451ebe882a4e046d2dea140dfb0c28fddad55
Opcode Fuzzy Hash: 8f56f2f01148ac9f5c592a797ef67a385b5db6667136291ca28b0151f7877fc6
Instruction Fuzzy Hash: 1221D0B5D00269DFCB00CF99D944ADEFBB4FB09324F10862AE918A7340C375AA54CFA5

Function 067DF128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98485b1482fcd5f7d24e96e503e567f7129e50350d3fd41175d92099a3a7c169
Instruction ID: c633baa533d3ac7b688456c7de47ab4e7afe282ba1e06b7fec341620d2f2e638
Opcode Fuzzy Hash: 98485b1482fcd5f7d24e96e503e567f7129e50350d3fd41175d92099a3a7c169
Instruction Fuzzy Hash: 1F01DC70B100104BDB64997DD854B3E77EADBC9A24F10883AE10BCB340EE6AEC424389

Function 067DA288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33760550c633950f69e7fc3f42c97a91d8780489fd0f3048344b242aa685c694
Instruction ID: 7329db6cad89ed396375af52fcab0ff824a4c3bdd5c66f5f40b3fc09208d7767
Opcode Fuzzy Hash: 33760550c633950f69e7fc3f42c97a91d8780489fd0f3048344b242aa685c694
Instruction Fuzzy Hash: AA018130B105154FDB60EA7ED955B2AB7E6EB89718F108C39E50AD7344EE26FC414784

Function 067D63E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a71c9734d6386dc690ae6f65b5411deb73cdad34fb71851986b673a23fd4949
Instruction ID: a32ea8350f38653ed7e9878274fadcd92c5ccb828e0bc323559df6a877e2d9e1
Opcode Fuzzy Hash: 4a71c9734d6386dc690ae6f65b5411deb73cdad34fb71851986b673a23fd4949
Instruction Fuzzy Hash: 39F065B0D18294DFCF61CA748A9877A7BB5AB43214F254DF6D445CB242E13ACE06D712

Function 067D63F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: 4bea0b837033cf3f53c2efa98e8238fff8a0986495897ab8cda09f589f05486a
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: B5E0C2B0E10108ABDF50DEB4CA4976E73BCD701204F208CB4D509D7201E236CB028340

Non-executed Functions

Function 067D7618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 067D777D
$kq, xrefs: 067D7758
$kq, xrefs: 067D7BB4
$kq, xrefs: 067D7B15
$kq, xrefs: 067D7BA8
$kq, xrefs: 067D7B09
$kq, xrefs: 067D774C
$kq, xrefs: 067D7BCA
$kq, xrefs: 067D7789
$kq, xrefs: 067D7BBE

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: e47d669de1d70aed0871c621f1aed6f37d09ff0771791c2c202cb640b1844b72
Instruction ID: 0bd4cac70b4ef586e4eb722c8a0f65cc585fa4c24f09f250d7087234b12c9847
Opcode Fuzzy Hash: e47d669de1d70aed0871c621f1aed6f37d09ff0771791c2c202cb640b1844b72
Instruction Fuzzy Hash: 02123E30E01619CFDB68DF65C994AAEB7B6FF84304F208969D509AB364DB349D85CF80

Function 067DA8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 067DAA30
$kq, xrefs: 067DA99E
$kq, xrefs: 067DAA5A
$kq, xrefs: 067DAA05
$kq, xrefs: 067DA9F9
$kq, xrefs: 067DA9AA
$kq, xrefs: 067DAA66
$kq, xrefs: 067DAA24

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: e734066c947069fd864555b29dbd6796d8a11b2fa2a71e025c36a48199752568
Instruction ID: f482aa9262711a14959fafb2904b75c562af20083a2895d98390030619136804
Opcode Fuzzy Hash: e734066c947069fd864555b29dbd6796d8a11b2fa2a71e025c36a48199752568
Instruction Fuzzy Hash: 41917230E10209DFDB64EF64DA5477EBBB2BF84304F208929D442A7798DB759D45CB90

Function 067D7018 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 067D72FA
$kq, xrefs: 067D7354
$kq, xrefs: 067D74B4
$kq, xrefs: 067D7360
$kq, xrefs: 067D752C
$kq, xrefs: 067D7520

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 21a63567091600e1b68f094ca2e9430ff56570ae2620b4aef3f99c39869d1554
Instruction ID: 71aacceaaba0c5a052c977c92f42ba3bb7988311b7f06e85d0a3fe1c6a550598
Opcode Fuzzy Hash: 21a63567091600e1b68f094ca2e9430ff56570ae2620b4aef3f99c39869d1554
Instruction Fuzzy Hash: FAF15130B00609CFDB58EF64C554A6EBBB3BF84304F248969D4469B768DB35EC86CB81

Function 067D8350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 067D85AA
$kq, xrefs: 067D85B6
$kq, xrefs: 067D861B
$kq, xrefs: 067D860F

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 861eaebd42a0702fdb6a660a757c9bcca8dbcde022b3eebf35f8e7aaa7d0af54
Instruction ID: b2ae05fb27090d418ede0714f402e693627fbc112ad61228861708371378bbd5
Opcode Fuzzy Hash: 861eaebd42a0702fdb6a660a757c9bcca8dbcde022b3eebf35f8e7aaa7d0af54
Instruction Fuzzy Hash: 6AB13B30E102098FDB64EFA8C5506AEBBB2AF84314F248929D446DB359DB75DC86CB91

Function 067D8768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$kq, xrefs: 067D87F3
$kq, xrefs: 067D87E7
LRkq, xrefs: 067D885B
LRkq, xrefs: 067D88AA

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: bb068ade9825b319e6160e616d1f6c17354306fd2e835d2555a0a2c5ac99454e
Instruction ID: c462ddfc1d110f8b6820b58c9adce30ffe0a71afd48fa69c89e961b7f7928ccf
Opcode Fuzzy Hash: bb068ade9825b319e6160e616d1f6c17354306fd2e835d2555a0a2c5ac99454e
Instruction Fuzzy Hash: A851D530B002059FDB58EB68DA40A6E77F2FF84304F148969E502DB7A9DB30EC41CB96

Function 067DAC30 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$kq, xrefs: 067DADB4
$kq, xrefs: 067DADE3
$kq, xrefs: 067DAE0C
$kq, xrefs: 067DAD61

Memory Dump Source

Source File: 00000008.00000002.4208993616.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_67d0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 995e444cefe75b7f07d236809459d056c716b4ca73e8336fab88e2a053ead75c
Instruction ID: 99199c59ac32bb6a9954db902429e878b2d933ea60141879e06eae231de87388
Opcode Fuzzy Hash: 995e444cefe75b7f07d236809459d056c716b4ca73e8336fab88e2a053ead75c
Instruction Fuzzy Hash: 1E517E34E106058FDF69EB68D6806AEB7B2FF84311F248E29D44697358DB35EC41CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ship Docs YINGHAI-MANE PO 240786.xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Ship Docs YINGHAI-MANE PO 240786.xlsx.exe

Function 052D0000 Relevance: 13.9, APIs: 9, Instructions: 353
threadinjectionmemoryCOMMON

Function 052D0054 Relevance: 13.8, APIs: 9, Instructions: 322
threadinjectionprocessCOMMON

Function 01470AC9 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 014704C0 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 014703D0 Relevance: 1.4, APIs: 1, Instructions: 123
memoryCOMMON

Function 01470971 Relevance: 1.4, APIs: 1, Instructions: 117
memoryCOMMON

Function 014704B4 Relevance: 1.3, APIs: 1, Instructions: 50
memoryCOMMON

Function 052D0420 Relevance: 1.3, APIs: 1, Instructions: 15
memoryCOMMON

Function 06723018 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 067278F8 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre