Edit tour

Windows Analysis Report
PRE ALERT Docs_PONBOM01577.xlsx.exe

Overview

General Information

Sample name:	PRE ALERT Docs_PONBOM01577.xlsx.exe
Analysis ID:	1467356
MD5:	1154cd3205e7e1226b03b1ee15278e0a
SHA1:	11b53a6d9f81defb309a972c3903b1de976e5911
SHA256:	8797ef6cb2e95b65334b38d11068783acad3aa173ede96e152ad66beb40deee3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PRE ALERT Docs_PONBOM01577.xlsx.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

PRE ALERT Docs_PONBOM01577.xlsx.exe (PID: 7180 cmdline: "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

adobe.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

adobe.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

adobe.exe (PID: 7776 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

adobe.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

adobe.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 1154CD3205E7E1226B03B1EE15278E0A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 7180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 7180	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: adobe.exe PID: 7444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7484	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: adobe.exe PID: 7828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7828	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.adobe.exe.3ec1420.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.adobe.exe.3ec1420.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.adobe.exe.3ec1420.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.adobe.exe.3ec1420.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.adobe.exe.3efca40.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.adobe.exe.3efca40.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.adobe.exe.3efca40.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.adobe.exe.3efca40.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f382:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f3f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f47e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f510:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f57a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f5ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f682:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f712:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c6cd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bd79:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d3cb:$s5: remove_Key 0x6d591:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e450:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f364:$s7: logins 0x6f8d6:$s7: logins 0x725b9:$s7: logins 0x72699:$s7: logins 0x73fea:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa14:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaa9e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab30:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac0c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8cd:$s2: GetPrivateProfileString 0xa7ced:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf79:$s3: get_OSFullName 0xa7399:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5cb:$s5: remove_Key 0x6d791:$s5: remove_Key 0xa89eb:$s5: remove_Key 0xa8bb1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e650:$s6: FtpWebRequest 0xa9a70:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f564:$s7: logins
3.2.adobe.exe.3efca40.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.adobe.exe.3efca40.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.adobe.exe.3efca40.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.adobe.exe.3efca40.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f382:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f3f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f47e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f510:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f57a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f5ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f682:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f712:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.adobe.exe.3efca40.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c6cd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bd79:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d3cb:$s5: remove_Key 0x6d591:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e450:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f364:$s7: logins 0x6f8d6:$s7: logins 0x725b9:$s7: logins 0x72699:$s7: logins 0x73fea:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
3.2.adobe.exe.3ec1420.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.adobe.exe.3ec1420.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.adobe.exe.3ec1420.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.adobe.exe.3ec1420.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa14:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaa9e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab30:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac0c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
3.2.adobe.exe.3ec1420.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8cd:$s2: GetPrivateProfileString 0xa7ced:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf79:$s3: get_OSFullName 0xa7399:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5cb:$s5: remove_Key 0x6d791:$s5: remove_Key 0xa89eb:$s5: remove_Key 0xa8bb1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e650:$s6: FtpWebRequest 0xa9a70:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f564:$s7: logins
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe", CommandLine: "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe, NewProcessName: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe", ProcessId: 4464, ProcessName: PRE ALERT Docs_PONBOM01577.xlsx.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe, ProcessId: 7180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Snort Signatures

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:20.785490
SID:	2029927
Source Port:	49748
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:21.384961
SID:	2855542
Source Port:	49749
Destination Port:	63065
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:13.264826
SID:	2851779
Source Port:	49741
Destination Port:	63983
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:39:58.804072
SID:	2855542
Source Port:	49736
Destination Port:	63817
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:21.384961
SID:	2851779
Source Port:	49749
Destination Port:	63065
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:12.687826
SID:	2029927
Source Port:	49739
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:41:23.727695
SID:	2851779
Source Port:	49751
Destination Port:	63014
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:39:58.216699
SID:	2029927
Source Port:	49734
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:39:58.804072
SID:	2851779
Source Port:	49736
Destination Port:	63817
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	07/04/24-03:40:13.264826
SID:	2855542
Source Port:	49741
Destination Port:	63983
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Avira: detection malicious, Label: HEUR/AGEN.1309979

Found malware configuration

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Virustotal: Detection: 29%			Perma Link

Multi AV Scanner detection for submitted file

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	ReversingLabs: Detection: 23%
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	Virustotal: Detection: 29%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: slZY.pdb source: PRE ALERT Docs_PONBOM01577.xlsx.exe, adobe.exe.2.dr
Source:	Binary string: slZY.pdbSHA256L source: PRE ALERT Docs_PONBOM01577.xlsx.exe, adobe.exe.2.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49734 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49736 -> 213.189.52.181:63817
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49736 -> 213.189.52.181:63817
Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49739 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49741 -> 213.189.52.181:63983
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49741 -> 213.189.52.181:63983
Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49748 -> 213.189.52.181:21
Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49749 -> 213.189.52.181:63065
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49749 -> 213.189.52.181:63065
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49751 -> 213.189.52.181:63014

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 63065,63983,63014,1,63817,2,21

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 213.189.52.181:63817

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.4:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp, PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646648170.0000000005720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm

Installs a global keyboard hook

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.2de85e8.1.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.7be0000.8.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_0136D5BC	0_2_0136D5BC
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD85D8	0_2_04DD85D8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD6548	0_2_04DD6548
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD6560	0_2_04DD6560
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD6DD0	0_2_04DD6DD0
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DDCE38	0_2_04DDCE38
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD8F88	0_2_04DD8F88
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD8F77	0_2_04DD8F77
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD6998	0_2_04DD6998
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_04DD6988	0_2_04DD6988
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_05350006	0_2_05350006
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_05350040	0_2_05350040
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_05356BC8	0_2_05356BC8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_02C0B397	2_2_02C0B397
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_02C04A90	2_2_02C04A90
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_02C0EEA8	2_2_02C0EEA8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_02C03E78	2_2_02C03E78
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_02C041C0	2_2_02C041C0
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_069C289B	2_2_069C289B
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_069C28A8	2_2_069C28A8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A1C0F8	2_2_06A1C0F8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A13018	2_2_06A13018
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A16160	2_2_06A16160
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A15150	2_2_06A15150
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A1AD90	2_2_06A1AD90
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A178F8	2_2_06A178F8
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A17218	2_2_06A17218
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A1E328	2_2_06A1E328
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A12340	2_2_06A12340
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A10040	2_2_06A10040
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A1584F	2_2_06A1584F
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_06A10006	2_2_06A10006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_0149D5BC	3_2_0149D5BC
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA3AE8	3_2_04EA3AE8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA6690	3_2_04EA6690
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA8708	3_2_04EA8708
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA90A9	3_2_04EA90A9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA90B8	3_2_04EA90B8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EACFB0	3_2_04EACFB0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA6F00	3_2_04EA6F00
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA6AC8	3_2_04EA6AC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_04EA6AB8	3_2_04EA6AB8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0106E8A8	4_2_0106E8A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_01064A90	4_2_01064A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_01063E78	4_2_01063E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_010641C0	4_2_010641C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06881734	4_2_06881734
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06882458	4_2_06882458
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06882468	4_2_06882468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0688315F	4_2_0688315F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06893418	4_2_06893418
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06895550	4_2_06895550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06896560	4_2_06896560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0689C0F8	4_2_0689C0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0689B198	4_2_0689B198
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06897CF8	4_2_06897CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06897618	4_2_06897618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06892743	4_2_06892743
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0689E328	4_2_0689E328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06890040	4_2_06890040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06895C4F	4_2_06895C4F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0689003F	4_2_0689003F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_0127D5BC	6_2_0127D5BC
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B18378	6_2_02B18378
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B16560	6_2_02B16560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B16548	6_2_02B16548
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B16998	6_2_02B16998
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B16988	6_2_02B16988
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B18F88	6_2_02B18F88
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B18F77	6_2_02B18F77
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B16DD0	6_2_02B16DD0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_00E14A90	8_2_00E14A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_00E13E78	8_2_00E13E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_00E141C0	8_2_00E141C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06691734	8_2_06691734
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06692468	8_2_06692468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0669245A	8_2_0669245A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0669315E	8_2_0669315E
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A3418	8_2_066A3418
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A6560	8_2_066A6560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A5550	8_2_066A5550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066AC0F8	8_2_066AC0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066AB198	8_2_066AB198
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A7CF8	8_2_066A7CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A7618	8_2_066A7618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A2742	8_2_066A2742
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066AE328	8_2_066AE328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A0040	8_2_066A0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A5C4F	8_2_066A5C4F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066A003E	8_2_066A003E

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.000000000479E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1647589212.0000000007BE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1642496723.000000000101E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000000.1626505579.0000000000ABE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameslZY.exeR vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644376716.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644376716.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1645970706.0000000004DE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4095305083.0000000000BB9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PRE ALERT Docs_PONBOM01577.xlsx.exe
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	Binary or memory string: OriginalFilenameslZY.exeR vs PRE ALERT Docs_PONBOM01577.xlsx.exe

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: adobe.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, GSnIefby3g48AVtXRC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.SetAccessControl
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	Security API names: _0020.AddAccessRule
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, GSnIefby3g48AVtXRC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, GSnIefby3g48AVtXRC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, GSnIefby3g48AVtXRC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/4@2/2

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRE ALERT Docs_PONBOM01577.xlsx.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	ReversingLabs: Detection: 23%
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File read: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process created: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process created: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: slZY.pdb source: PRE ALERT Docs_PONBOM01577.xlsx.exe, adobe.exe.2.dr
Source:	Binary string: slZY.pdbSHA256L source: PRE ALERT Docs_PONBOM01577.xlsx.exe, adobe.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, StringListEditor.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.2de85e8.1.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.2de85e8.1.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	.Net Code: tKWOIdEytW System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	.Net Code: tKWOIdEytW System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	.Net Code: tKWOIdEytW System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.7be0000.8.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.7be0000.8.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: adobe.exe.2.dr, StringListEditor.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	.Net Code: tKWOIdEytW System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 0_2_01369C61 pushad ; iretd	0_2_01369C6D
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_069C9F31 pushfd ; iretd	2_2_069C9F32
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_069CBAB0 push es; ret	2_2_069CBAC0
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Code function: 2_2_069C7952 push es; ret	2_2_069C7960
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01499C40 pushad ; iretd	3_2_01499C6D
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_01499C21 pushad ; iretd	3_2_01499C6D
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_01060C55 push edi; retf	4_2_01060C7A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0688BB50 push es; ret	4_2_0688BB60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_01279C40 pushad ; iretd	6_2_01279C6D
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_02B1D485 push FFFFFF8Bh; iretd	6_2_02B1D487
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06697673 push es; ret	8_2_06697680

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe	Static PE information: section name: .text entropy: 7.945017887436935
Source: adobe.exe.2.dr	Static PE information: section name: .text entropy: 7.945017887436935

Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, KJKWYe04ndXo1dLGx3.cs	High entropy of concatenated method names: 'BoO1VZ3yYZ', 'bZf13w2bGv', 'Muw1nTBUh2', 'qld18uYn3v', 'xic1ZvRaeo', 'cOn1QGCe3B', 'PJa17V3YuN', 'NT61smAoyN', 'PDk1bGayh1', 'hGx1G6TakJ'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, JIgtojd31oq0a8Ne66.cs	High entropy of concatenated method names: 'fBo7H6bu2o', 'BG17MHAIkt', 'ToString', 'vft7hQ0sWB', 'B847XV6Ftf', 'oZQ719mtPd', 'dy87SBe5EE', 'Ln37dc9MFb', 'qru7fwptEf', 'DPI7rI16GF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, cYgM2iBJbIwf49iAyB.cs	High entropy of concatenated method names: 'JpIZJVMdmN', 'T4tZixUith', 'nLMZBAZBEL', 'eNgZeiJCcF', 'ErTZgnDjxw', 'cFuZucEK9a', 'oxdZ0DZtRo', 'FVBZ6Vuj3S', 'LCVZ4OrxBZ', 'DOIZT7BQfO'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, YIBjEUC2hYAeNNhpTX.cs	High entropy of concatenated method names: 'Dispose', 'JwoPNI70GU', 'QXJDgyodMG', 'T1tRRlfWiv', 'bqnPCBWfoI', 'NiAPzALTrw', 'ProcessDialogKey', 'BS7DWLDZI0', 'PwjDPVPySr', 'CN0DD82I3e'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, u0WLUiFmU62nf8wvh47.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UKLGBQHpdg', 'TuMGesqYuQ', 'zokGaY7PiQ', 'gpvGmOX0fD', 'b7YGAYCWv9', 'GMhGqfFUlP', 'RZdG5RTbgb'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, arCIwW2EHbpP4FTa9P.cs	High entropy of concatenated method names: 'YQ9bP1LGFV', 'jFtbcPGs1b', 'nv7bOMvOgk', 'MkIbhlUljB', 'rwnbXr95jl', 'HVmbS8lLqf', 'bIpbdwft5E', 'hyXs5a5PAR', 'Nv2sj19auZ', 'BiCsNtVcqS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, KbE2EyPT6T9ZpExMle.cs	High entropy of concatenated method names: 'ToString', 'dSQQv7JoOT', 'Vu1QgLGjmo', 'XbUQutePo2', 'LP3Q0qH8eV', 'x80Q6sLK7x', 'eaIQ4vYth2', 'vlBQTxf70B', 'uYaQY2hXcM', 'OXsQKL0Bnc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, EpHttsc5PRSC3qdCh0.cs	High entropy of concatenated method names: 'TaDSUA9o0g', 'SixSpF612C', 'Rkc1uEVDhb', 'ce4101dNwk', 'Qlt16mC0Mn', 'uMt14KQQtc', 'j6I1Tqs26R', 'zt51YW7cJF', 'y1K1KI8SIW', 'idE1JMyZrc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	High entropy of concatenated method names: 'MbicxpZ2iF', 'JuvchEhy8a', 'uXOcXbhS9N', 'QQ8c1B4lO2', 'MU5cSQc8hy', 'CwEcdg1ndQ', 'TxacfmwhGN', 'J97crMb2vj', 'EC2c2tX3Zx', 'WapcHvx2f5'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, tu8VtYjuLCMFEaI0Kd.cs	High entropy of concatenated method names: 'aNAfhsbeQA', 'UoBf12RayJ', 'EEdfdJXQ7P', 'o71dCZ3WBi', 'ecndzTPK3s', 'xHofWXUWvo', 'trmfPtxGBm', 'DaufDjjCpS', 'SIEfcmy6HR', 'uqlfOjnjXk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, O9liTyGSgHOXubn0i8.cs	High entropy of concatenated method names: 'HQishiHRWB', 'PZasXxLYvU', 'Gwws181ICw', 'aOnsSSdRIu', 'B0Ysdwggw4', 'WvRsfN7ceT', 'OBIsrBt0iK', 'wl5s2xhcHe', 'MMfsHfRpvH', 'bhDsMBYxIU'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, MW4t0FZVT9Flwx07F2.cs	High entropy of concatenated method names: 'jKmPfj3Zwa', 'TaCPrOI7mq', 'yjYPH7Wcjj', 'ulBPMllnPr', 'PKHPZvvWyr', 'nP0PQQnG5l', 'f1RXY0xkuhabvDSNLZ', 'xkE2kPXe5CJUGkmRWn', 'Lv5PPQGMPR', 'nh7PcE3Gqk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, JKi31c4KTy182hEMiH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rGjDNNgBFF', 'SyDDCYKoCw', 'AouDzPOKth', 'SUncWnHE9k', 'jjLcPWdNNW', 'AN1cD79LKr', 'NY3ccAJYqr', 'Mop9wOvR3GhBV8GFaeK'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, sJ7fiJFFyK6osPUw34M.cs	High entropy of concatenated method names: 'ToString', 'SAEGcAbddD', 'PUIGO12n5v', 'InfGxhi3JC', 'ByuGhP43J2', 'MGAGXsUZXc', 'hy3G1YmOaT', 'Q5KGSEFRb6', 'GkwrXykGkFTpWYNeNAB', 'W30nAskpxZdPlL3YgXS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, Hi02iDQ2gBgWPDty6N.cs	High entropy of concatenated method names: 'ExEIrPqpK', 'QxtVGIc0Q', 'vOT3yKblI', 'apNpUFH0y', 'bkf8eu1yJ', 'elottBqy2', 'WZdm4HN0h93wHSHvYS', 'gMmdoBKIhmf5kR02Ts', 'i7UskmTSG', 'wYaGT4PhW'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, T8bvccOhIfvV5HBWMM.cs	High entropy of concatenated method names: 'lFAfoGKQGo', 'FgmfL4irFe', 'OxJfIkfUh7', 'm47fVZkwVg', 'CRwfU8QPEv', 'NHDf3GsEkU', 'e2Mfp7N7ca', 'JUCfniqDt0', 'DZhf8iq3bM', 'E0Wft28jk0'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, zQ5YunFDytNkOgIn8yZ.cs	High entropy of concatenated method names: 'dgPboq3e2i', 'rhDbL1hAvR', 'oiqbIJBF4E', 'jHfbVjC6ba', 'OstbUmMLeB', 'BuVb30Lgx2', 'jRsbpPp4Ax', 'v8abn2hNuY', 'kqpb8rC3gR', 'GObbtPOeJu'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, H4tCJy9NCfMBVS71J3.cs	High entropy of concatenated method names: 'U3EdxnDdGj', 'sm1dXyEg9B', 'W7cdSCjgtm', 'js8dfq50eJ', 'S6IdrHovkY', 'Dk4SANBvG1', 'jwFSqsSjvG', 'pgpS5RRd0F', 'JKCSjkmCQt', 'wtJSNiDadD'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, SPiHFIMwYaDrrusNMP.cs	High entropy of concatenated method names: 'KJWskQyIY0', 'm20sguLWP1', 'do0suFQlFf', 'kN6s0lKwis', 'bUEsBJXCBA', 'HCEs6CUcRE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, ptRbsCzeYp8KN76ouN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zeFbwCTgWr', 'VZAbZndMub', 'J3bbQfKgHt', 'VVAb7Gx6EV', 'VDHbsDeCSv', 'eUnbbXHL1Q', 'Ad3bGcUlnF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, b3yglJ52boJJBcwNHd.cs	High entropy of concatenated method names: 'ujRwnr3QMi', 'eVfw8WqdTc', 'VfdwkHwxl2', 'eoAwg5whOM', 'IfKw05feTq', 'fIhw6N5TEs', 'ueSwTFOaZO', 'zDJwYfkeLY', 'RXuwJKAesj', 'SIQwv3wtpq'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.49a8960.4.raw.unpack, GSnIefby3g48AVtXRC.cs	High entropy of concatenated method names: 'TW9XB3BvfO', 'EfRXeystKT', 'mw0Xax4eFh', 'NF4Xm2TJV6', 'oSGXAuqZ3R', 'WVIXqWXalX', 'xkNX5fM5P1', 'uYvXjvp5VK', 'X5nXNDf69K', 'aYlXCpomsL'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, KJKWYe04ndXo1dLGx3.cs	High entropy of concatenated method names: 'BoO1VZ3yYZ', 'bZf13w2bGv', 'Muw1nTBUh2', 'qld18uYn3v', 'xic1ZvRaeo', 'cOn1QGCe3B', 'PJa17V3YuN', 'NT61smAoyN', 'PDk1bGayh1', 'hGx1G6TakJ'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, JIgtojd31oq0a8Ne66.cs	High entropy of concatenated method names: 'fBo7H6bu2o', 'BG17MHAIkt', 'ToString', 'vft7hQ0sWB', 'B847XV6Ftf', 'oZQ719mtPd', 'dy87SBe5EE', 'Ln37dc9MFb', 'qru7fwptEf', 'DPI7rI16GF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, cYgM2iBJbIwf49iAyB.cs	High entropy of concatenated method names: 'JpIZJVMdmN', 'T4tZixUith', 'nLMZBAZBEL', 'eNgZeiJCcF', 'ErTZgnDjxw', 'cFuZucEK9a', 'oxdZ0DZtRo', 'FVBZ6Vuj3S', 'LCVZ4OrxBZ', 'DOIZT7BQfO'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, YIBjEUC2hYAeNNhpTX.cs	High entropy of concatenated method names: 'Dispose', 'JwoPNI70GU', 'QXJDgyodMG', 'T1tRRlfWiv', 'bqnPCBWfoI', 'NiAPzALTrw', 'ProcessDialogKey', 'BS7DWLDZI0', 'PwjDPVPySr', 'CN0DD82I3e'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, u0WLUiFmU62nf8wvh47.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UKLGBQHpdg', 'TuMGesqYuQ', 'zokGaY7PiQ', 'gpvGmOX0fD', 'b7YGAYCWv9', 'GMhGqfFUlP', 'RZdG5RTbgb'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, arCIwW2EHbpP4FTa9P.cs	High entropy of concatenated method names: 'YQ9bP1LGFV', 'jFtbcPGs1b', 'nv7bOMvOgk', 'MkIbhlUljB', 'rwnbXr95jl', 'HVmbS8lLqf', 'bIpbdwft5E', 'hyXs5a5PAR', 'Nv2sj19auZ', 'BiCsNtVcqS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, KbE2EyPT6T9ZpExMle.cs	High entropy of concatenated method names: 'ToString', 'dSQQv7JoOT', 'Vu1QgLGjmo', 'XbUQutePo2', 'LP3Q0qH8eV', 'x80Q6sLK7x', 'eaIQ4vYth2', 'vlBQTxf70B', 'uYaQY2hXcM', 'OXsQKL0Bnc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, EpHttsc5PRSC3qdCh0.cs	High entropy of concatenated method names: 'TaDSUA9o0g', 'SixSpF612C', 'Rkc1uEVDhb', 'ce4101dNwk', 'Qlt16mC0Mn', 'uMt14KQQtc', 'j6I1Tqs26R', 'zt51YW7cJF', 'y1K1KI8SIW', 'idE1JMyZrc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	High entropy of concatenated method names: 'MbicxpZ2iF', 'JuvchEhy8a', 'uXOcXbhS9N', 'QQ8c1B4lO2', 'MU5cSQc8hy', 'CwEcdg1ndQ', 'TxacfmwhGN', 'J97crMb2vj', 'EC2c2tX3Zx', 'WapcHvx2f5'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, tu8VtYjuLCMFEaI0Kd.cs	High entropy of concatenated method names: 'aNAfhsbeQA', 'UoBf12RayJ', 'EEdfdJXQ7P', 'o71dCZ3WBi', 'ecndzTPK3s', 'xHofWXUWvo', 'trmfPtxGBm', 'DaufDjjCpS', 'SIEfcmy6HR', 'uqlfOjnjXk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, O9liTyGSgHOXubn0i8.cs	High entropy of concatenated method names: 'HQishiHRWB', 'PZasXxLYvU', 'Gwws181ICw', 'aOnsSSdRIu', 'B0Ysdwggw4', 'WvRsfN7ceT', 'OBIsrBt0iK', 'wl5s2xhcHe', 'MMfsHfRpvH', 'bhDsMBYxIU'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, MW4t0FZVT9Flwx07F2.cs	High entropy of concatenated method names: 'jKmPfj3Zwa', 'TaCPrOI7mq', 'yjYPH7Wcjj', 'ulBPMllnPr', 'PKHPZvvWyr', 'nP0PQQnG5l', 'f1RXY0xkuhabvDSNLZ', 'xkE2kPXe5CJUGkmRWn', 'Lv5PPQGMPR', 'nh7PcE3Gqk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, JKi31c4KTy182hEMiH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rGjDNNgBFF', 'SyDDCYKoCw', 'AouDzPOKth', 'SUncWnHE9k', 'jjLcPWdNNW', 'AN1cD79LKr', 'NY3ccAJYqr', 'Mop9wOvR3GhBV8GFaeK'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, sJ7fiJFFyK6osPUw34M.cs	High entropy of concatenated method names: 'ToString', 'SAEGcAbddD', 'PUIGO12n5v', 'InfGxhi3JC', 'ByuGhP43J2', 'MGAGXsUZXc', 'hy3G1YmOaT', 'Q5KGSEFRb6', 'GkwrXykGkFTpWYNeNAB', 'W30nAskpxZdPlL3YgXS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, Hi02iDQ2gBgWPDty6N.cs	High entropy of concatenated method names: 'ExEIrPqpK', 'QxtVGIc0Q', 'vOT3yKblI', 'apNpUFH0y', 'bkf8eu1yJ', 'elottBqy2', 'WZdm4HN0h93wHSHvYS', 'gMmdoBKIhmf5kR02Ts', 'i7UskmTSG', 'wYaGT4PhW'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, T8bvccOhIfvV5HBWMM.cs	High entropy of concatenated method names: 'lFAfoGKQGo', 'FgmfL4irFe', 'OxJfIkfUh7', 'm47fVZkwVg', 'CRwfU8QPEv', 'NHDf3GsEkU', 'e2Mfp7N7ca', 'JUCfniqDt0', 'DZhf8iq3bM', 'E0Wft28jk0'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, zQ5YunFDytNkOgIn8yZ.cs	High entropy of concatenated method names: 'dgPboq3e2i', 'rhDbL1hAvR', 'oiqbIJBF4E', 'jHfbVjC6ba', 'OstbUmMLeB', 'BuVb30Lgx2', 'jRsbpPp4Ax', 'v8abn2hNuY', 'kqpb8rC3gR', 'GObbtPOeJu'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, H4tCJy9NCfMBVS71J3.cs	High entropy of concatenated method names: 'U3EdxnDdGj', 'sm1dXyEg9B', 'W7cdSCjgtm', 'js8dfq50eJ', 'S6IdrHovkY', 'Dk4SANBvG1', 'jwFSqsSjvG', 'pgpS5RRd0F', 'JKCSjkmCQt', 'wtJSNiDadD'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, SPiHFIMwYaDrrusNMP.cs	High entropy of concatenated method names: 'KJWskQyIY0', 'm20sguLWP1', 'do0suFQlFf', 'kN6s0lKwis', 'bUEsBJXCBA', 'HCEs6CUcRE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, ptRbsCzeYp8KN76ouN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zeFbwCTgWr', 'VZAbZndMub', 'J3bbQfKgHt', 'VVAb7Gx6EV', 'VDHbsDeCSv', 'eUnbbXHL1Q', 'Ad3bGcUlnF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, b3yglJ52boJJBcwNHd.cs	High entropy of concatenated method names: 'ujRwnr3QMi', 'eVfw8WqdTc', 'VfdwkHwxl2', 'eoAwg5whOM', 'IfKw05feTq', 'fIhw6N5TEs', 'ueSwTFOaZO', 'zDJwYfkeLY', 'RXuwJKAesj', 'SIQwv3wtpq'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4de0000.6.raw.unpack, GSnIefby3g48AVtXRC.cs	High entropy of concatenated method names: 'TW9XB3BvfO', 'EfRXeystKT', 'mw0Xax4eFh', 'NF4Xm2TJV6', 'oSGXAuqZ3R', 'WVIXqWXalX', 'xkNX5fM5P1', 'uYvXjvp5VK', 'X5nXNDf69K', 'aYlXCpomsL'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, KJKWYe04ndXo1dLGx3.cs	High entropy of concatenated method names: 'BoO1VZ3yYZ', 'bZf13w2bGv', 'Muw1nTBUh2', 'qld18uYn3v', 'xic1ZvRaeo', 'cOn1QGCe3B', 'PJa17V3YuN', 'NT61smAoyN', 'PDk1bGayh1', 'hGx1G6TakJ'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, JIgtojd31oq0a8Ne66.cs	High entropy of concatenated method names: 'fBo7H6bu2o', 'BG17MHAIkt', 'ToString', 'vft7hQ0sWB', 'B847XV6Ftf', 'oZQ719mtPd', 'dy87SBe5EE', 'Ln37dc9MFb', 'qru7fwptEf', 'DPI7rI16GF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, cYgM2iBJbIwf49iAyB.cs	High entropy of concatenated method names: 'JpIZJVMdmN', 'T4tZixUith', 'nLMZBAZBEL', 'eNgZeiJCcF', 'ErTZgnDjxw', 'cFuZucEK9a', 'oxdZ0DZtRo', 'FVBZ6Vuj3S', 'LCVZ4OrxBZ', 'DOIZT7BQfO'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, YIBjEUC2hYAeNNhpTX.cs	High entropy of concatenated method names: 'Dispose', 'JwoPNI70GU', 'QXJDgyodMG', 'T1tRRlfWiv', 'bqnPCBWfoI', 'NiAPzALTrw', 'ProcessDialogKey', 'BS7DWLDZI0', 'PwjDPVPySr', 'CN0DD82I3e'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, u0WLUiFmU62nf8wvh47.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UKLGBQHpdg', 'TuMGesqYuQ', 'zokGaY7PiQ', 'gpvGmOX0fD', 'b7YGAYCWv9', 'GMhGqfFUlP', 'RZdG5RTbgb'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, arCIwW2EHbpP4FTa9P.cs	High entropy of concatenated method names: 'YQ9bP1LGFV', 'jFtbcPGs1b', 'nv7bOMvOgk', 'MkIbhlUljB', 'rwnbXr95jl', 'HVmbS8lLqf', 'bIpbdwft5E', 'hyXs5a5PAR', 'Nv2sj19auZ', 'BiCsNtVcqS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, KbE2EyPT6T9ZpExMle.cs	High entropy of concatenated method names: 'ToString', 'dSQQv7JoOT', 'Vu1QgLGjmo', 'XbUQutePo2', 'LP3Q0qH8eV', 'x80Q6sLK7x', 'eaIQ4vYth2', 'vlBQTxf70B', 'uYaQY2hXcM', 'OXsQKL0Bnc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, EpHttsc5PRSC3qdCh0.cs	High entropy of concatenated method names: 'TaDSUA9o0g', 'SixSpF612C', 'Rkc1uEVDhb', 'ce4101dNwk', 'Qlt16mC0Mn', 'uMt14KQQtc', 'j6I1Tqs26R', 'zt51YW7cJF', 'y1K1KI8SIW', 'idE1JMyZrc'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	High entropy of concatenated method names: 'MbicxpZ2iF', 'JuvchEhy8a', 'uXOcXbhS9N', 'QQ8c1B4lO2', 'MU5cSQc8hy', 'CwEcdg1ndQ', 'TxacfmwhGN', 'J97crMb2vj', 'EC2c2tX3Zx', 'WapcHvx2f5'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, tu8VtYjuLCMFEaI0Kd.cs	High entropy of concatenated method names: 'aNAfhsbeQA', 'UoBf12RayJ', 'EEdfdJXQ7P', 'o71dCZ3WBi', 'ecndzTPK3s', 'xHofWXUWvo', 'trmfPtxGBm', 'DaufDjjCpS', 'SIEfcmy6HR', 'uqlfOjnjXk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, O9liTyGSgHOXubn0i8.cs	High entropy of concatenated method names: 'HQishiHRWB', 'PZasXxLYvU', 'Gwws181ICw', 'aOnsSSdRIu', 'B0Ysdwggw4', 'WvRsfN7ceT', 'OBIsrBt0iK', 'wl5s2xhcHe', 'MMfsHfRpvH', 'bhDsMBYxIU'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, MW4t0FZVT9Flwx07F2.cs	High entropy of concatenated method names: 'jKmPfj3Zwa', 'TaCPrOI7mq', 'yjYPH7Wcjj', 'ulBPMllnPr', 'PKHPZvvWyr', 'nP0PQQnG5l', 'f1RXY0xkuhabvDSNLZ', 'xkE2kPXe5CJUGkmRWn', 'Lv5PPQGMPR', 'nh7PcE3Gqk'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, JKi31c4KTy182hEMiH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rGjDNNgBFF', 'SyDDCYKoCw', 'AouDzPOKth', 'SUncWnHE9k', 'jjLcPWdNNW', 'AN1cD79LKr', 'NY3ccAJYqr', 'Mop9wOvR3GhBV8GFaeK'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, sJ7fiJFFyK6osPUw34M.cs	High entropy of concatenated method names: 'ToString', 'SAEGcAbddD', 'PUIGO12n5v', 'InfGxhi3JC', 'ByuGhP43J2', 'MGAGXsUZXc', 'hy3G1YmOaT', 'Q5KGSEFRb6', 'GkwrXykGkFTpWYNeNAB', 'W30nAskpxZdPlL3YgXS'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, Hi02iDQ2gBgWPDty6N.cs	High entropy of concatenated method names: 'ExEIrPqpK', 'QxtVGIc0Q', 'vOT3yKblI', 'apNpUFH0y', 'bkf8eu1yJ', 'elottBqy2', 'WZdm4HN0h93wHSHvYS', 'gMmdoBKIhmf5kR02Ts', 'i7UskmTSG', 'wYaGT4PhW'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, T8bvccOhIfvV5HBWMM.cs	High entropy of concatenated method names: 'lFAfoGKQGo', 'FgmfL4irFe', 'OxJfIkfUh7', 'm47fVZkwVg', 'CRwfU8QPEv', 'NHDf3GsEkU', 'e2Mfp7N7ca', 'JUCfniqDt0', 'DZhf8iq3bM', 'E0Wft28jk0'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, zQ5YunFDytNkOgIn8yZ.cs	High entropy of concatenated method names: 'dgPboq3e2i', 'rhDbL1hAvR', 'oiqbIJBF4E', 'jHfbVjC6ba', 'OstbUmMLeB', 'BuVb30Lgx2', 'jRsbpPp4Ax', 'v8abn2hNuY', 'kqpb8rC3gR', 'GObbtPOeJu'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, H4tCJy9NCfMBVS71J3.cs	High entropy of concatenated method names: 'U3EdxnDdGj', 'sm1dXyEg9B', 'W7cdSCjgtm', 'js8dfq50eJ', 'S6IdrHovkY', 'Dk4SANBvG1', 'jwFSqsSjvG', 'pgpS5RRd0F', 'JKCSjkmCQt', 'wtJSNiDadD'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, SPiHFIMwYaDrrusNMP.cs	High entropy of concatenated method names: 'KJWskQyIY0', 'm20sguLWP1', 'do0suFQlFf', 'kN6s0lKwis', 'bUEsBJXCBA', 'HCEs6CUcRE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, ptRbsCzeYp8KN76ouN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zeFbwCTgWr', 'VZAbZndMub', 'J3bbQfKgHt', 'VVAb7Gx6EV', 'VDHbsDeCSv', 'eUnbbXHL1Q', 'Ad3bGcUlnF'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, b3yglJ52boJJBcwNHd.cs	High entropy of concatenated method names: 'ujRwnr3QMi', 'eVfw8WqdTc', 'VfdwkHwxl2', 'eoAwg5whOM', 'IfKw05feTq', 'fIhw6N5TEs', 'ueSwTFOaZO', 'zDJwYfkeLY', 'RXuwJKAesj', 'SIQwv3wtpq'
Source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.4a25980.2.raw.unpack, GSnIefby3g48AVtXRC.cs	High entropy of concatenated method names: 'TW9XB3BvfO', 'EfRXeystKT', 'mw0Xax4eFh', 'NF4Xm2TJV6', 'oSGXAuqZ3R', 'WVIXqWXalX', 'xkNX5fM5P1', 'uYvXjvp5VK', 'X5nXNDf69K', 'aYlXCpomsL'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, KJKWYe04ndXo1dLGx3.cs	High entropy of concatenated method names: 'BoO1VZ3yYZ', 'bZf13w2bGv', 'Muw1nTBUh2', 'qld18uYn3v', 'xic1ZvRaeo', 'cOn1QGCe3B', 'PJa17V3YuN', 'NT61smAoyN', 'PDk1bGayh1', 'hGx1G6TakJ'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, JIgtojd31oq0a8Ne66.cs	High entropy of concatenated method names: 'fBo7H6bu2o', 'BG17MHAIkt', 'ToString', 'vft7hQ0sWB', 'B847XV6Ftf', 'oZQ719mtPd', 'dy87SBe5EE', 'Ln37dc9MFb', 'qru7fwptEf', 'DPI7rI16GF'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, cYgM2iBJbIwf49iAyB.cs	High entropy of concatenated method names: 'JpIZJVMdmN', 'T4tZixUith', 'nLMZBAZBEL', 'eNgZeiJCcF', 'ErTZgnDjxw', 'cFuZucEK9a', 'oxdZ0DZtRo', 'FVBZ6Vuj3S', 'LCVZ4OrxBZ', 'DOIZT7BQfO'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, YIBjEUC2hYAeNNhpTX.cs	High entropy of concatenated method names: 'Dispose', 'JwoPNI70GU', 'QXJDgyodMG', 'T1tRRlfWiv', 'bqnPCBWfoI', 'NiAPzALTrw', 'ProcessDialogKey', 'BS7DWLDZI0', 'PwjDPVPySr', 'CN0DD82I3e'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, u0WLUiFmU62nf8wvh47.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UKLGBQHpdg', 'TuMGesqYuQ', 'zokGaY7PiQ', 'gpvGmOX0fD', 'b7YGAYCWv9', 'GMhGqfFUlP', 'RZdG5RTbgb'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, arCIwW2EHbpP4FTa9P.cs	High entropy of concatenated method names: 'YQ9bP1LGFV', 'jFtbcPGs1b', 'nv7bOMvOgk', 'MkIbhlUljB', 'rwnbXr95jl', 'HVmbS8lLqf', 'bIpbdwft5E', 'hyXs5a5PAR', 'Nv2sj19auZ', 'BiCsNtVcqS'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, KbE2EyPT6T9ZpExMle.cs	High entropy of concatenated method names: 'ToString', 'dSQQv7JoOT', 'Vu1QgLGjmo', 'XbUQutePo2', 'LP3Q0qH8eV', 'x80Q6sLK7x', 'eaIQ4vYth2', 'vlBQTxf70B', 'uYaQY2hXcM', 'OXsQKL0Bnc'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, EpHttsc5PRSC3qdCh0.cs	High entropy of concatenated method names: 'TaDSUA9o0g', 'SixSpF612C', 'Rkc1uEVDhb', 'ce4101dNwk', 'Qlt16mC0Mn', 'uMt14KQQtc', 'j6I1Tqs26R', 'zt51YW7cJF', 'y1K1KI8SIW', 'idE1JMyZrc'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, c2nuaZ1j2jxTrWK6iR.cs	High entropy of concatenated method names: 'MbicxpZ2iF', 'JuvchEhy8a', 'uXOcXbhS9N', 'QQ8c1B4lO2', 'MU5cSQc8hy', 'CwEcdg1ndQ', 'TxacfmwhGN', 'J97crMb2vj', 'EC2c2tX3Zx', 'WapcHvx2f5'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, tu8VtYjuLCMFEaI0Kd.cs	High entropy of concatenated method names: 'aNAfhsbeQA', 'UoBf12RayJ', 'EEdfdJXQ7P', 'o71dCZ3WBi', 'ecndzTPK3s', 'xHofWXUWvo', 'trmfPtxGBm', 'DaufDjjCpS', 'SIEfcmy6HR', 'uqlfOjnjXk'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, O9liTyGSgHOXubn0i8.cs	High entropy of concatenated method names: 'HQishiHRWB', 'PZasXxLYvU', 'Gwws181ICw', 'aOnsSSdRIu', 'B0Ysdwggw4', 'WvRsfN7ceT', 'OBIsrBt0iK', 'wl5s2xhcHe', 'MMfsHfRpvH', 'bhDsMBYxIU'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, MW4t0FZVT9Flwx07F2.cs	High entropy of concatenated method names: 'jKmPfj3Zwa', 'TaCPrOI7mq', 'yjYPH7Wcjj', 'ulBPMllnPr', 'PKHPZvvWyr', 'nP0PQQnG5l', 'f1RXY0xkuhabvDSNLZ', 'xkE2kPXe5CJUGkmRWn', 'Lv5PPQGMPR', 'nh7PcE3Gqk'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, JKi31c4KTy182hEMiH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rGjDNNgBFF', 'SyDDCYKoCw', 'AouDzPOKth', 'SUncWnHE9k', 'jjLcPWdNNW', 'AN1cD79LKr', 'NY3ccAJYqr', 'Mop9wOvR3GhBV8GFaeK'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, sJ7fiJFFyK6osPUw34M.cs	High entropy of concatenated method names: 'ToString', 'SAEGcAbddD', 'PUIGO12n5v', 'InfGxhi3JC', 'ByuGhP43J2', 'MGAGXsUZXc', 'hy3G1YmOaT', 'Q5KGSEFRb6', 'GkwrXykGkFTpWYNeNAB', 'W30nAskpxZdPlL3YgXS'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, Hi02iDQ2gBgWPDty6N.cs	High entropy of concatenated method names: 'ExEIrPqpK', 'QxtVGIc0Q', 'vOT3yKblI', 'apNpUFH0y', 'bkf8eu1yJ', 'elottBqy2', 'WZdm4HN0h93wHSHvYS', 'gMmdoBKIhmf5kR02Ts', 'i7UskmTSG', 'wYaGT4PhW'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, T8bvccOhIfvV5HBWMM.cs	High entropy of concatenated method names: 'lFAfoGKQGo', 'FgmfL4irFe', 'OxJfIkfUh7', 'm47fVZkwVg', 'CRwfU8QPEv', 'NHDf3GsEkU', 'e2Mfp7N7ca', 'JUCfniqDt0', 'DZhf8iq3bM', 'E0Wft28jk0'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, zQ5YunFDytNkOgIn8yZ.cs	High entropy of concatenated method names: 'dgPboq3e2i', 'rhDbL1hAvR', 'oiqbIJBF4E', 'jHfbVjC6ba', 'OstbUmMLeB', 'BuVb30Lgx2', 'jRsbpPp4Ax', 'v8abn2hNuY', 'kqpb8rC3gR', 'GObbtPOeJu'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, H4tCJy9NCfMBVS71J3.cs	High entropy of concatenated method names: 'U3EdxnDdGj', 'sm1dXyEg9B', 'W7cdSCjgtm', 'js8dfq50eJ', 'S6IdrHovkY', 'Dk4SANBvG1', 'jwFSqsSjvG', 'pgpS5RRd0F', 'JKCSjkmCQt', 'wtJSNiDadD'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, SPiHFIMwYaDrrusNMP.cs	High entropy of concatenated method names: 'KJWskQyIY0', 'm20sguLWP1', 'do0suFQlFf', 'kN6s0lKwis', 'bUEsBJXCBA', 'HCEs6CUcRE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, ptRbsCzeYp8KN76ouN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zeFbwCTgWr', 'VZAbZndMub', 'J3bbQfKgHt', 'VVAb7Gx6EV', 'VDHbsDeCSv', 'eUnbbXHL1Q', 'Ad3bGcUlnF'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, b3yglJ52boJJBcwNHd.cs	High entropy of concatenated method names: 'ujRwnr3QMi', 'eVfw8WqdTc', 'VfdwkHwxl2', 'eoAwg5whOM', 'IfKw05feTq', 'fIhw6N5TEs', 'ueSwTFOaZO', 'zDJwYfkeLY', 'RXuwJKAesj', 'SIQwv3wtpq'
Source: 3.2.adobe.exe.4043cd0.3.raw.unpack, GSnIefby3g48AVtXRC.cs	High entropy of concatenated method names: 'TW9XB3BvfO', 'EfRXeystKT', 'mw0Xax4eFh', 'NF4Xm2TJV6', 'oSGXAuqZ3R', 'WVIXqWXalX', 'xkNX5fM5P1', 'uYvXjvp5VK', 'X5nXNDf69K', 'aYlXCpomsL'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (81).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.exe

Static PE information: PRE ALERT Docs_PONBOM01577.xlsx.exe

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7776, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 4DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 7D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 8D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 8EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 9EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: A260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: B260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: C260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: D270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: E270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: F270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: F930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 73D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 83D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: A880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: A880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 7310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 6FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: B620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: C7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: D7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: E7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: EE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598357	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597369	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597242	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597122	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596139	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596022	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595700	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595264	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594934	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598463	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597918	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595731	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595395	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598369	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594079	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Window / User API: threadDelayed 7032	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Window / User API: threadDelayed 2793	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 4037	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 5815	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7447	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2375	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 6800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7300	Thread sleep count: 7032 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7300	Thread sleep count: 2793 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597369s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597242s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596139s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -596022s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594823s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe TID: 7296	Thread sleep time: -594390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7620	Thread sleep count: 4037 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7620	Thread sleep count: 5815 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599120s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598463s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -598029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597918s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -597044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595952s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595731s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595395s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595280s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7608	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7944	Thread sleep count: 7447 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7944	Thread sleep count: 2375 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598369s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7940	Thread sleep time: -594079s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598357	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597369	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597242	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597122	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596249	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596139	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 596022	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595700	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595374	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595264	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594934	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598463	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597918	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597044	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595952	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595731	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595395	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595280	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598369	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594079	Jump to behavior

Source: adobe.exe, 00000008.00000002.4096542891.0000000000F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4095816736.0000000001179000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1873688267.000000000120D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Memory written: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Process created: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe "C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q><b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>{Win}r{Win}THcq
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>{Win}rTHcq
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 07/20/2024 03:22:47<br>User Name: user<br>Computer Name: 066656<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>{Win}r{Win}r</html>
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>{Win}THcq
Source: PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q?<b>[ Program Manager]</b> (04/07/2024 03:18:53)<br>{Win}r{Win}rTHcq

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7828, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7828, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3e04f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRE ALERT Docs_PONBOM01577.xlsx.exe.3dc9970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3efca40.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.3ec1420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 4464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PRE ALERT Docs_PONBOM01577.xlsx.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7828, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	12 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PRE ALERT Docs_PONBOM01577.xlsx.exe	24%	ReversingLabs
PRE ALERT Docs_PONBOM01577.xlsx.exe	30%	Virustotal		Browse
PRE ALERT Docs_PONBOM01577.xlsx.exe	100%	Avira	HEUR/AGEN.1309979

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Avira	HEUR/AGEN.1309979
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	24%	ReversingLabs
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	30%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse
s4.serv00.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://s4.serv00.com	0%	Avira URL Cloud	safe
http://s4.serv00.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
s4.serv00.com	213.189.52.181	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646740755.0000000006FD2000.00000004.00000800.00020000.00000000.sdmp, PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000000.00000002.1646648170.0000000005720000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s4.serv00.com	PRE ALERT Docs_PONBOM01577.xlsx.exe, 00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467356
Start date and time:	2024-07-04 03:39:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PRE ALERT Docs_PONBOM01577.xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 308 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:39:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
02:40:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
21:39:53	API Interceptor	9268135x Sleep call for process: PRE ALERT Docs_PONBOM01577.xlsx.exe modified
21:40:08	API Interceptor	7469194x Sleep call for process: adobe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.189.52.181	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	Factura adjunta.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Arrival Notice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	rnoahcrypter.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECO-ATMAN-PLECO-ATMAN-PL	BOQ_Algeemi_SharePoint_Tender_3768889756.xksx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	http://10f4cf3.wcomhost.com/	Get hash	malicious	Unknown	Browse	85.194.241.205
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BOQ_Algeemi_SharePoint_Tender.xlsx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse	31.186.83.254
	Invoice_23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	WEB-SAT_base.apk	Get hash	malicious	Unknown	Browse	77.79.227.218
	WEB-SAT_base.apk	Get hash	malicious	Unknown	Browse	77.79.227.218
	Invoice 23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	Invoice 23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
CLOUDFLARENETUS	Encrypted Doc-[izO-3902181].pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://click.pstmrk.it/3s/frutilandia.com%2Ffaq%2F/gRC2/yGq2AQ/AQ/a2d2de19-7d91-4f73-a067-0dd3f808145b/1/-HKuJv7KgC	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://reservation.exnetehovervs.com/apart/285z92aaza77z	Get hash	malicious	Unknown	Browse	104.22.70.197
	https://rules-pear-kft5d2.mystrikingly.com/	Get hash	malicious	Unknown	Browse	162.247.243.29
	http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12	Get hash	malicious	Unknown	Browse	188.114.96.3
	Encrypted Doc-[Ogi-5917842].pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://services.business-manange.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.138.117
	https://pub-1b634168cd404e2d8bece63d5ebb4798.r2.dev/uint.html?schweissdoors	Get hash	malicious	HTMLPhisher	Browse	104.26.10.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://metamesklogni.webflow.io/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://sula.starladeroff.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://supp-review9482.eu/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://ns43q4.csb.app/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://swans-muffin-1id4964-7304421.netlify.app/form	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://pub-fb608504b57048a1b1ca54c74dbf132d.r2.dev/ront.html?ccsend	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Factura adjunta.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Download File

Process:	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	757248
Entropy (8bit):	7.932047193773452
Encrypted:	false
SSDEEP:	12288:L5mJwp6Nf+w5yRfOKXLtBgKiOda/M7Drr2vB2Z86a0sXQjrhcEqSqA/UzYbiNhN9:zUCmoBqKiOkU7avgy6mXQ3ShSqA/UkbA
MD5:	1154CD3205E7E1226B03B1EE15278E0A
SHA1:	11B53A6D9F81DEFB309A972C3903B1DE976E5911
SHA-256:	8797EF6CB2E95B65334B38D11068783ACAD3AA173EDE96E152AD66BEB40DEEE3
SHA-512:	1B1A44971954E8AB8D8A8EADC09F92E2DDF5EA233EACE1134F492983DFE94DCBD454834AC693D0EA2B6730F53DBD59909F3E00189DD5277713D3BE1BBB863DE5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 24% Antivirus: Virustotal, Detection: 30%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f..............0.............n.... ........@.. ....................................@.....................................O.......................................T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........z...x..............@............................................0..+........r...prM..p.. ....(.........,....+....+....(....... .....(...... . ...(.........(.........0..C..........o....o.....+..o....t........o.......o....-....u......,..o..............."0.......0..C..........o....o.....+..o....t........o.......o....-....u......,..o..............."0......".( ........0..7..........(!.........+.......o"....o#...&...X....i2.........z........./0.......0..[..........s

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.932047193773452
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PRE ALERT Docs_PONBOM01577.xlsx.exe
File size:	757'248 bytes
MD5:	1154cd3205e7e1226b03b1ee15278e0a
SHA1:	11b53a6d9f81defb309a972c3903b1de976e5911
SHA256:	8797ef6cb2e95b65334b38d11068783acad3aa173ede96e152ad66beb40deee3
SHA512:	1b1a44971954e8ab8d8a8eadc09f92e2ddf5ea233eace1134f492983dfe94dcbd454834ac693d0ea2b6730f53dbd59909f3e00189dd5277713d3be1bbb863de5
SSDEEP:	12288:L5mJwp6Nf+w5yRfOKXLtBgKiOda/M7Drr2vB2Z86a0sXQjrhcEqSqA/UzYbiNhN9:zUCmoBqKiOkU7avgy6mXQ3ShSqA/UkbA
TLSH:	C9F4024562DC7FD1E0661FF60D32B01163B4E21AA463EE1D6C9250DD4DA23C7B63AA2F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............n.... ........@.. ....................................@................................

File Icon


Icon Hash:	8c070b0909030f10

Static PE Info

General

Entrypoint:	0x4acb6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6685D385 [Wed Jul 3 22:41:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xacb1b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0xddc4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa9ac0	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaab74	0xaac00	405de6a1e119b0a3f66210249a2ae064	False	0.9506814490300146	data	7.945017887436935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0xddc4	0xde00	78cb272f63e5545909d8ce937553f067	False	0.7673669763513513	data	7.391753244604948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	d0747cda4a56075e976d32ea0b4265d2	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.5097517730496454
RT_ICON	0xae658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.3942622950819672
RT_ICON	0xaefe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.3379455909943715
RT_ICON	0xb0088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.2617219917012448
RT_ICON	0xb2630	0x91c8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9990085744908896
RT_GROUP_ICON	0xbb7f8	0x4c	data	0.75
RT_VERSION	0xbb844	0x394	OpenPGP Secret Key	0.4344978165938865
RT_MANIFEST	0xbbbd8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/04/24-03:40:20.785490	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49748	21	192.168.2.4	213.189.52.181
07/04/24-03:40:21.384961	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49749	63065	192.168.2.4	213.189.52.181
07/04/24-03:40:13.264826	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49741	63983	192.168.2.4	213.189.52.181
07/04/24-03:39:58.804072	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49736	63817	192.168.2.4	213.189.52.181
07/04/24-03:40:21.384961	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49749	63065	192.168.2.4	213.189.52.181
07/04/24-03:40:12.687826	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49739	21	192.168.2.4	213.189.52.181
07/04/24-03:41:23.727695	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49751	63014	192.168.2.4	213.189.52.181
07/04/24-03:39:58.216699	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49734	21	192.168.2.4	213.189.52.181
07/04/24-03:39:58.804072	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49736	63817	192.168.2.4	213.189.52.181
07/04/24-03:40:13.264826	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49741	63983	192.168.2.4	213.189.52.181

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 03:39:54.850989103 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:54.851021051 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:54.851094961 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:54.857954025 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:54.857969999 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.363548040 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.363650084 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:55.366081953 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:55.366090059 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.366309881 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.405827045 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:55.418056011 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:55.464492083 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.693278074 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.693329096 CEST	443	49732	172.67.74.152	192.168.2.4
Jul 4, 2024 03:39:55.693377972 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:55.699968100 CEST	49732	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:39:56.257356882 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:56.262276888 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:56.262353897 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:56.854809046 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:56.856002092 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:56.860702038 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.049648046 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.049877882 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:57.054631948 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.313311100 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.313450098 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:57.318166018 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.507239103 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.507504940 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:57.512269020 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.819525003 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:57.819679976 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:57.825540066 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.015209913 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.015336037 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.020136118 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.209422112 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.209889889 CEST	49736	63817	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.216576099 CEST	63817	49736	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.216658115 CEST	49736	63817	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.216698885 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.224208117 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.792100906 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.804071903 CEST	49736	63817	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.804104090 CEST	49736	63817	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.808969021 CEST	63817	49736	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.809226036 CEST	63817	49736	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:58.809277058 CEST	49736	63817	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:58.843323946 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:39:59.001622915 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:39:59.046457052 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:09.397943020 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.397980928 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:09.398046017 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.402518988 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.402534008 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:09.883938074 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:09.884008884 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.885421038 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.885427952 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:09.885624886 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:09.929378986 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:09.972516060 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:10.042368889 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:10.042416096 CEST	443	49738	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:10.042612076 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:10.044898033 CEST	49738	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:10.725203991 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:10.731548071 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:10.731636047 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:11.355659008 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:11.355895042 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:11.362488985 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:11.559113026 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:11.559354067 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:11.564201117 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:11.846457958 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:11.846596003 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:11.851433992 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.048103094 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.048250914 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.053216934 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.251499891 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.253684044 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.258513927 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.455697060 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.456253052 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.464849949 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.661640882 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.669811964 CEST	49741	63983	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.674590111 CEST	63983	49741	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:12.676861048 CEST	49741	63983	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.687825918 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:12.696178913 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:13.264635086 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:13.264826059 CEST	49741	63983	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:13.264859915 CEST	49741	63983	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:13.269740105 CEST	63983	49741	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:13.270378113 CEST	63983	49741	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:13.270425081 CEST	49741	63983	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:13.310383081 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:13.465313911 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:13.515228033 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:17.666731119 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:17.666771889 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:17.666829109 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:17.671319008 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:17.671331882 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.150641918 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.150718927 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:18.154480934 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:18.154495001 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.154706001 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.202620983 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:18.248507977 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.314034939 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.314079046 CEST	443	49747	172.67.74.152	192.168.2.4
Jul 4, 2024 03:40:18.314146042 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:18.316545963 CEST	49747	443	192.168.2.4	172.67.74.152
Jul 4, 2024 03:40:18.891863108 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:18.896891117 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:18.896972895 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:19.049181938 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:19.534673929 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:19.534892082 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:19.539784908 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:19.729156971 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:19.739253998 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:19.744301081 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.005039930 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.005326986 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.010812998 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.198582888 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.198988914 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.203742027 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.391247034 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.394088030 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.398964882 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.586445093 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.587260008 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.592128038 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.779877901 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.780471087 CEST	49749	63065	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.785348892 CEST	63065	49749	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:20.785429001 CEST	49749	63065	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.785490036 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:20.790344954 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:21.384763002 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:21.384960890 CEST	49749	63065	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:21.385020018 CEST	49749	63065	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:21.389760971 CEST	63065	49749	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:21.390194893 CEST	63065	49749	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:21.390259027 CEST	49749	63065	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:21.437129021 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:40:21.581048965 CEST	21	49748	213.189.52.181	192.168.2.4
Jul 4, 2024 03:40:21.624721050 CEST	49748	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:22.715984106 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:22.722846985 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:22.920361042 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:22.920926094 CEST	49751	63014	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:22.927141905 CEST	63014	49751	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:22.927221060 CEST	49751	63014	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:22.927309036 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:22.932137966 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.727524042 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.727694988 CEST	49751	63014	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:23.727731943 CEST	49751	63014	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:23.732517958 CEST	63014	49751	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.732963085 CEST	63014	49751	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.733006954 CEST	49751	63014	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:23.737494946 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.737540960 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 4, 2024 03:41:23.924913883 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 4, 2024 03:41:23.968507051 CEST	49734	21	192.168.2.4	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 03:39:54.839354038 CEST	57580	53	192.168.2.4	1.1.1.1
Jul 4, 2024 03:39:54.846400976 CEST	53	57580	1.1.1.1	192.168.2.4
Jul 4, 2024 03:39:56.244360924 CEST	62386	53	192.168.2.4	1.1.1.1
Jul 4, 2024 03:39:56.256742001 CEST	53	62386	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 03:39:54.839354038 CEST	192.168.2.4	1.1.1.1	0x985f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 4, 2024 03:39:56.244360924 CEST	192.168.2.4	1.1.1.1	0xfdef	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 03:39:54.846400976 CEST	1.1.1.1	192.168.2.4	0x985f	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 4, 2024 03:39:54.846400976 CEST	1.1.1.1	192.168.2.4	0x985f	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 4, 2024 03:39:54.846400976 CEST	1.1.1.1	192.168.2.4	0x985f	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 4, 2024 03:39:56.256742001 CEST	1.1.1.1	192.168.2.4	0xfdef	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.74.152	443	7180	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 01:39:55 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-04 01:39:55 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 04 Jul 2024 01:39:55 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89db6780babe43fe-EWR
2024-07-04 01:39:55 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	172.67.74.152	443	7484	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 01:40:09 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-04 01:40:10 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 04 Jul 2024 01:40:09 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89db67da6c274277-EWR
2024-07-04 01:40:10 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	172.67.74.152	443	7828	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-04 01:40:18 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-04 01:40:18 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 04 Jul 2024 01:40:18 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89db680e1e46192c-EWR
2024-07-04 01:40:18 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 4, 2024 03:39:56.854809046 CEST	21	49734	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 03:39. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jul 4, 2024 03:39:56.856002092 CEST	49734	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jul 4, 2024 03:39:57.049648046 CEST	21	49734	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jul 4, 2024 03:39:57.049877882 CEST	49734	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jul 4, 2024 03:39:57.313311100 CEST	21	49734	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jul 4, 2024 03:39:57.507239103 CEST	21	49734	213.189.52.181	192.168.2.4	504 Unknown command
Jul 4, 2024 03:39:57.507504940 CEST	49734	21	192.168.2.4	213.189.52.181	PWD
Jul 4, 2024 03:39:57.819525003 CEST	21	49734	213.189.52.181	192.168.2.4	257 "/" is your current location
Jul 4, 2024 03:39:57.819679976 CEST	49734	21	192.168.2.4	213.189.52.181	TYPE I
Jul 4, 2024 03:39:58.015209913 CEST	21	49734	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jul 4, 2024 03:39:58.015336037 CEST	49734	21	192.168.2.4	213.189.52.181	PASV
Jul 4, 2024 03:39:58.209422112 CEST	21	49734	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,249,73)
Jul 4, 2024 03:39:58.216698885 CEST	49734	21	192.168.2.4	213.189.52.181	STOR PW_user-066656_2024_07_03_21_39_55.html
Jul 4, 2024 03:39:58.792100906 CEST	21	49734	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 4, 2024 03:39:59.001622915 CEST	21	49734	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.209 seconds (measured here), 1.62 Kbytes per second
Jul 4, 2024 03:40:11.355659008 CEST	21	49739	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 03:40. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 03:40. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 03:40. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jul 4, 2024 03:40:11.355895042 CEST	49739	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jul 4, 2024 03:40:11.559113026 CEST	21	49739	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jul 4, 2024 03:40:11.559354067 CEST	49739	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jul 4, 2024 03:40:11.846457958 CEST	21	49739	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jul 4, 2024 03:40:12.048103094 CEST	21	49739	213.189.52.181	192.168.2.4	504 Unknown command
Jul 4, 2024 03:40:12.048250914 CEST	49739	21	192.168.2.4	213.189.52.181	PWD
Jul 4, 2024 03:40:12.251499891 CEST	21	49739	213.189.52.181	192.168.2.4	257 "/" is your current location
Jul 4, 2024 03:40:12.253684044 CEST	49739	21	192.168.2.4	213.189.52.181	TYPE I
Jul 4, 2024 03:40:12.455697060 CEST	21	49739	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jul 4, 2024 03:40:12.456253052 CEST	49739	21	192.168.2.4	213.189.52.181	PASV
Jul 4, 2024 03:40:12.661640882 CEST	21	49739	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,249,239)
Jul 4, 2024 03:40:12.687825918 CEST	49739	21	192.168.2.4	213.189.52.181	STOR PW_user-066656_2024_07_03_21_40_10.html
Jul 4, 2024 03:40:13.264635086 CEST	21	49739	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 4, 2024 03:40:13.465313911 CEST	21	49739	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.202 seconds (measured here), 1.67 Kbytes per second
Jul 4, 2024 03:40:19.534673929 CEST	21	49748	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 03:40. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 03:40. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 03:40. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jul 4, 2024 03:40:19.534892082 CEST	49748	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jul 4, 2024 03:40:19.729156971 CEST	21	49748	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jul 4, 2024 03:40:19.739253998 CEST	49748	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jul 4, 2024 03:40:20.005039930 CEST	21	49748	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jul 4, 2024 03:40:20.198582888 CEST	21	49748	213.189.52.181	192.168.2.4	504 Unknown command
Jul 4, 2024 03:40:20.198988914 CEST	49748	21	192.168.2.4	213.189.52.181	PWD
Jul 4, 2024 03:40:20.391247034 CEST	21	49748	213.189.52.181	192.168.2.4	257 "/" is your current location
Jul 4, 2024 03:40:20.394088030 CEST	49748	21	192.168.2.4	213.189.52.181	TYPE I
Jul 4, 2024 03:40:20.586445093 CEST	21	49748	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jul 4, 2024 03:40:20.587260008 CEST	49748	21	192.168.2.4	213.189.52.181	PASV
Jul 4, 2024 03:40:20.779877901 CEST	21	49748	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,246,89)
Jul 4, 2024 03:40:20.785490036 CEST	49748	21	192.168.2.4	213.189.52.181	STOR PW_user-066656_2024_07_03_21_40_18.html
Jul 4, 2024 03:40:21.384763002 CEST	21	49748	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 4, 2024 03:40:21.581048965 CEST	21	49748	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.225 seconds (measured here), 1.50 Kbytes per second
Jul 4, 2024 03:41:22.715984106 CEST	49734	21	192.168.2.4	213.189.52.181	PASV
Jul 4, 2024 03:41:22.920361042 CEST	21	49734	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,246,38)
Jul 4, 2024 03:41:22.927309036 CEST	49734	21	192.168.2.4	213.189.52.181	STOR KL_user-066656_2024_07_20_03_22_47.html
Jul 4, 2024 03:41:23.727524042 CEST	21	49734	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 4, 2024 03:41:23.737494946 CEST	21	49734	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 4, 2024 03:41:23.924913883 CEST	21	49734	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.423 seconds (measured here), 0.66 Kbytes per second

Target ID:	0
Start time:	21:39:52
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"
Imagebase:	0xa10000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1644979202.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:39:54
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PRE ALERT Docs_PONBOM01577.xlsx.exe"
Imagebase:	0x970000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4099468817.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4099468817.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	21:40:07
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xa80000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1791642925.0000000003E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 24%, ReversingLabs Detection: 30%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:40:08
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x930000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1875942602.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1868550635.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1875942602.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:40:15
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x7e0000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:40:16
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x20000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:40:16
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x740000
File size:	757'248 bytes
MD5 hash:	1154CD3205E7E1226B03B1EE15278E0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4099572148.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4099572148.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	288
Total number of Limit Nodes:	10

Executed Functions

Function 05356BC8 Relevance: 1.0, Instructions: 953COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1646324139.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbbcf15a5ca6e09c5b3d5e2750daf746caa60718667f15676aa0a838a3142c6
Instruction ID: d78b42fb50ae9d671c14dd015a4800cb690dbbc89a8bdc2bce32656d7a053716
Opcode Fuzzy Hash: ebbbcf15a5ca6e09c5b3d5e2750daf746caa60718667f15676aa0a838a3142c6
Instruction Fuzzy Hash: F2A2A534A51219CFDB14DF24C898ED9B7B1EF8A304F5191E9D8096B365DB32AE85CF80

Function 04DD96FC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DD993E

Strings

w&, xrefs: 04DD9A24

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CreateProcess
String ID: w&
API String ID: 963392458-3348004922
Opcode ID: 4bbeedef6fdbfe9b745f8367feff1f3cf72c12ea76fb7b8c24c244fd4f223a66
Instruction ID: 5e26ea8d9b2dce0147665389f4408f5dfb18ccdd70b6a5c62fa235bd562b404e
Opcode Fuzzy Hash: 4bbeedef6fdbfe9b745f8367feff1f3cf72c12ea76fb7b8c24c244fd4f223a66
Instruction Fuzzy Hash: A1916BB1D00219DFEB10CF68C8517EDBBB2BF48314F1485A9E849A7244DB75A985CF91

Function 04DD9708 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04DD993E

Strings

w&, xrefs: 04DD9A24

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CreateProcess
String ID: w&
API String ID: 963392458-3348004922
Opcode ID: 6b695aa97a054e96c47aad46dc7c32d64057788703d498ffb2ac3597cd1a2ad8
Instruction ID: 38706049438eebb085a0404ef9840c336d608c7702eb624806316605ac507cbc
Opcode Fuzzy Hash: 6b695aa97a054e96c47aad46dc7c32d64057788703d498ffb2ac3597cd1a2ad8
Instruction Fuzzy Hash: 9A916CB1D00219DFEF10CF68C850BEEBBB2BF48314F1485A9E849A7254DB75A985CF91

Function 0136ADA8 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136AFFE

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c89092d747d0c3fa4a76f4342bec79881ae8741913c36fd3dcd09185a08cecac
Instruction ID: 66a0af300397b72a68b543d9e2d03e0ca2aaf228e059bae797c21578c7a5c234
Opcode Fuzzy Hash: c89092d747d0c3fa4a76f4342bec79881ae8741913c36fd3dcd09185a08cecac
Instruction Fuzzy Hash: AD817770A00B058FDB24DF29D44579ABBF5FF48308F008A2DD08AEBA55D775E84ACB90

Function 0136590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013659C9

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b47ffb0d481cec0c2c07ee6ace5244282d93182b5d258e182f6603763269746b
Instruction ID: b2684d380b9fa2956374fb863e74d8b2bf30b6a82a047b784aa68e0a8483bbad
Opcode Fuzzy Hash: b47ffb0d481cec0c2c07ee6ace5244282d93182b5d258e182f6603763269746b
Instruction Fuzzy Hash: 9441D2B0C0071DCBDB24CFA9C884BCDBBB9BF49344F24806AD448AB255DB756945CF90

Function 013644C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013659C9

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5f7405e33823134074916ec52f5ee780dfba1aa7073f3fdd03a5a45a586553c6
Instruction ID: 4b9e29c4f99485c23dc7f49a77de033f517004a2145b505aa6341e34136f211a
Opcode Fuzzy Hash: 5f7405e33823134074916ec52f5ee780dfba1aa7073f3fdd03a5a45a586553c6
Instruction Fuzzy Hash: 9041C2B0C0071DCBDB24DFA9C884B9DBBF9BF49304F2480AAD408AB255DB756945CF90

Function 05354040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05354101

Memory Dump Source

Source File: 00000000.00000002.1646324139.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3c52b1334a074f5e38a24e5f53bb35e537e0129d14d52072a2bc25d8a616a8db
Instruction ID: ea6fb43778c3a5308c2ed5db09f8af564c92c4f95337c49f9ca5daa23daebe16
Opcode Fuzzy Hash: 3c52b1334a074f5e38a24e5f53bb35e537e0129d14d52072a2bc25d8a616a8db
Instruction Fuzzy Hash: 4B41F6B4A003098FCB14CF99C448AAAFBF5FF88324F24C459D519AB361D775A981CFA0

Function 04DD7C43 Relevance: 1.6, APIs: 1, Instructions: 90
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04DDBA2D

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4d3bf8110466093dd228767dd18fb951a120f4afe6938c182b2c22a635716105
Instruction ID: d798d140bddc5b54b2014ca86aa9a52d38f834522daae85ba18818c4209f7d68
Opcode Fuzzy Hash: 4d3bf8110466093dd228767dd18fb951a120f4afe6938c182b2c22a635716105
Instruction Fuzzy Hash: 4D31D1718083988FD701EFACD8A47CEBFB4EF45314F0540ABD084AB252C274A484CBB6

Function 04DD7CD8 Relevance: 1.6, APIs: 1, Instructions: 82
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04DDBA2D

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e3be6a105fcc51010c4f428ceec150fe4a281ecff4e5e21bd2ca510d27cdb0b1
Instruction ID: 6e87afdf4aeecb1334a311478dd764d54e0cea9300a9c5e5da3404817a013393
Opcode Fuzzy Hash: e3be6a105fcc51010c4f428ceec150fe4a281ecff4e5e21bd2ca510d27cdb0b1
Instruction Fuzzy Hash: 0631DFB18087988FD701DF9DD4A47DEBFF4EF19314F04406AD084AB252C274A444CBA6

Function 04DD9478 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DD9510

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bddd8e7bbfaf211ecddf82a5804e37da8fa77f339c1c83cc2a275672925012cb
Instruction ID: acca1c58160585adf3f265150d90967a09283d9ecf6fba986dfb33a5a4bdd35e
Opcode Fuzzy Hash: bddd8e7bbfaf211ecddf82a5804e37da8fa77f339c1c83cc2a275672925012cb
Instruction Fuzzy Hash: 532157B59003199FDB10CFA9C885BEEBBF0FF48310F10842AE959A7240C778A545CBA4

Function 04DD9480 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04DD9510

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a0f453427f923ea92f9699e92d097ffe10bec82da4fdd02af2828aba10769535
Instruction ID: 4356f7c49395a87df5cc5786ab455ed271dc46b2dd9e5b26fab723bc5cd5d0de
Opcode Fuzzy Hash: a0f453427f923ea92f9699e92d097ffe10bec82da4fdd02af2828aba10769535
Instruction Fuzzy Hash: 4C2139B19003599FCB10CFA9C885BDEBBF5FF48310F10842AE959A7250C779A944CBA5

Function 0136D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136D656,?,?,?,?,?), ref: 0136D717

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c73ab676d256e42251d4e224745117b5c2ac882359eb4ef43406a6472e68eb16
Instruction ID: 1f4c117d425ae29b95fa346ebb594e07d6e5f7849590f834f5b548ec3a38db66
Opcode Fuzzy Hash: c73ab676d256e42251d4e224745117b5c2ac882359eb4ef43406a6472e68eb16
Instruction Fuzzy Hash: 8321E5B59003489FDB10CF9AD584ADEFFF8EB48324F14841AE958A7310D378A954CFA5

Function 04DD8EA8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04DD8F2E

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 12aa48636440c71e805dc2a525d65ee741ac11942be2cee81886c929c5092072
Instruction ID: 4d4018a27d23015646072e008f8cca760b907b3659dd4c548f16189f7a98024d
Opcode Fuzzy Hash: 12aa48636440c71e805dc2a525d65ee741ac11942be2cee81886c929c5092072
Instruction Fuzzy Hash: 692147B1D003098FDB14DFA9C5857EEBBF5EF48324F10842AE459A7240CB78A985CFA5

Function 04DD9570 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DD95F0

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 233c783fac946751fbd4d9b747b481a5868a25289f648a24981fe4c3988ae349
Instruction ID: 39175c9f0ca779dc8930f2f8e5b8b0ac628831671a347382e5a4567b71dd86c9
Opcode Fuzzy Hash: 233c783fac946751fbd4d9b747b481a5868a25289f648a24981fe4c3988ae349
Instruction Fuzzy Hash: 9E2128B18003599FCB10DFAAC885ADEFBF5FF48320F508429E559A7250C735A544CBA5

Function 04DD8EB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04DD8F2E

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6127739232f934515dd674295fec049437fed5fd7bc2b07012af35ea1cd66a6e
Instruction ID: 0b36edd6629ed47e7a597625fa6c0a0db9c67c13de8770f31db5b88138577236
Opcode Fuzzy Hash: 6127739232f934515dd674295fec049437fed5fd7bc2b07012af35ea1cd66a6e
Instruction Fuzzy Hash: E7212CB19003098FDB14DFAAC4857EEBBF5EF48324F54842AE459A7240C778A545CFA5

Function 0136D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136D656,?,?,?,?,?), ref: 0136D717

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f710d1224cc3e34e7dbe3ecc1f09dd3a454535562b4eb655fd1f4816e327811
Instruction ID: 93e838206ec0b00784d2c8bfd98f8a6a28fc538ab50b80f0d2f27d039a7eaa7d
Opcode Fuzzy Hash: 2f710d1224cc3e34e7dbe3ecc1f09dd3a454535562b4eb655fd1f4816e327811
Instruction Fuzzy Hash: 0121E0B5900259DFDB10CFA9D984ADEBBF8EB48324F14841AE958A3210D378A944CFA5

Function 04DD9568 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04DD95F0

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2fc4d90d37d4e2f9badb155d8ac0cd55019d16f02a73b60b074eb0b92c9e887d
Instruction ID: 95e2645a0f4cc657fd346d6029270925169e3d8201b88f096e3e37ee608915df
Opcode Fuzzy Hash: 2fc4d90d37d4e2f9badb155d8ac0cd55019d16f02a73b60b074eb0b92c9e887d
Instruction Fuzzy Hash: 232125B1C003599FCB10DFA9C985BEEBBF5FF48320F10842AE959A7250C7389944CBA5

Function 04DD93B8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04DD942E

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c97cede37a450881e2824d21dfe7a2d9a511ef32ecf96bbe038726f1fc2b9755
Instruction ID: ff78e9adc0f4ef86a975a901a640a07bed75c6c9ba55f1f4f110d5f86ba4ab6e
Opcode Fuzzy Hash: c97cede37a450881e2824d21dfe7a2d9a511ef32ecf96bbe038726f1fc2b9755
Instruction Fuzzy Hash: D31167B6800208CFCB10CFA9C845BEEBFF5EF48324F20881AE559A7650C775A581CFA5

Function 0136A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B079,00000800,00000000,00000000), ref: 0136B28A

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 012aa5f1ec0d4c5462ec3b71711c62e875e60daafaf6bf7dc7868782c55224a4
Instruction ID: ec88a48dbebe6b9d8a1f3eee199fa04be8e95842beb59b434d3671acde85c812
Opcode Fuzzy Hash: 012aa5f1ec0d4c5462ec3b71711c62e875e60daafaf6bf7dc7868782c55224a4
Instruction Fuzzy Hash: 751126B69003098FDB10CF9AD444BDEFBF8EB48314F10842AE559A7214C375A545CFA5

Function 0136B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B079,00000800,00000000,00000000), ref: 0136B28A

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26a0f526314a75bd7625e75154e9d523089c0b98bc590eafe98e0bd24a75cbdc
Instruction ID: 6227aabefdd35ea3ef380bcf3a68142cb88b0bada10f1d5b580573268e27046a
Opcode Fuzzy Hash: 26a0f526314a75bd7625e75154e9d523089c0b98bc590eafe98e0bd24a75cbdc
Instruction Fuzzy Hash: CF1153B69003088FDB10CFAAC444ADEFFF4EB48320F10842AE859A7210C374A545CFA4

Function 04DD93C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04DD942E

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 413c734f0962ced0c4cbf86833303a536a1abcdeac8c66b484cf253d535c6e0b
Instruction ID: ae9694094d7ed7bdf0b46a32336d46058240f894b126db628cae6c5621f480f5
Opcode Fuzzy Hash: 413c734f0962ced0c4cbf86833303a536a1abcdeac8c66b484cf253d535c6e0b
Instruction Fuzzy Hash: 611134B29002499FCB10DFAAC844BDFBFF5EF88324F208419E559A7250C775A944CFA5

Function 04DD8DF8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04DD8E62

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c827aa4f174a4567974d6182367705f2281b3bc4249fedf73e810990a816d38f
Instruction ID: 74fe8f089ad67542d705e2dc6991343bbbb64d6144b7ea09542ebca9dff54121
Opcode Fuzzy Hash: c827aa4f174a4567974d6182367705f2281b3bc4249fedf73e810990a816d38f
Instruction Fuzzy Hash: B21158B1D003498FDB10DFAAC4457EEFBF4AB48324F20881AD059A7240C775A545CFA4

Function 04DD8E00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04DD8E62

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 72203f7c141ff08f6f6563315ddc3549c5b85f9bc28c82a99be412ec7c8b0560
Instruction ID: ecbf241b4a28de3b6e709ba1556e8cdad71b0b903ed3ea8a8fcab76a1794edcb
Opcode Fuzzy Hash: 72203f7c141ff08f6f6563315ddc3549c5b85f9bc28c82a99be412ec7c8b0560
Instruction Fuzzy Hash: 4D1125B19003488FDB20DFAAC4457EEFBF4AB88324F208429D459A7250CA75A944CFA5

Function 0136AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136AFFE

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c0e29cf1466f59c6b5e77e6fdff83c2f76577aaea81e40af40ded4649a4e3f66
Instruction ID: d8ab1d2208a7a514491fd11645979bc4fae96149f9c794bc0a38f5f36bacc3fc
Opcode Fuzzy Hash: c0e29cf1466f59c6b5e77e6fdff83c2f76577aaea81e40af40ded4649a4e3f66
Instruction Fuzzy Hash: 771110B5D003498FDB14CF9AC444BDEFBF8AB88328F10C42AD569A7214C375A545CFA1

Function 04DD7CC8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04DDBA2D

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e43c3b33421af37124110eb43c0edc84473dff8f0d2adbe5b0b612e10be4c385
Instruction ID: 6f504d4462d6108a72032a116acbe34e80bad5cb616e9da3526c8dd8a659859f
Opcode Fuzzy Hash: e43c3b33421af37124110eb43c0edc84473dff8f0d2adbe5b0b612e10be4c385
Instruction Fuzzy Hash: 3B1103B5800348DFDB10DF9AD484BEEFBF8EB48324F10841AE559A7201D3B5A984CFA5

Function 04DDB9C8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04DDBA2D

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d3e5cd8cb657a2af99778444bfb915bbd37e957f585ddd72660b2d8b555effe2
Instruction ID: 2368b39b1dbf9fa7b41bb9ab6538a6ddaef755bbcfb43e3e32ea145d2b27b45d
Opcode Fuzzy Hash: d3e5cd8cb657a2af99778444bfb915bbd37e957f585ddd72660b2d8b555effe2
Instruction Fuzzy Hash: C311C2B5800349DFDB10DF99D589BDEBBF8AB48324F10841AE558A7610D375A584CFA1

Function 00FBD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899c7cb3a2d1fef3ebe39c959d8c495f82cda103f42d987505b34ab4928044a1
Instruction ID: 52f2f169d510a351ba9b79c3b387df83f9cd303f54c483475afdafc8a06e78a2
Opcode Fuzzy Hash: 899c7cb3a2d1fef3ebe39c959d8c495f82cda103f42d987505b34ab4928044a1
Instruction Fuzzy Hash: 84213372900280DFCB05DF05D9C0B6ABF65FB88320F20C169ED090B256D336D816EFA2

Function 00FBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae450dddf68ffe2e08e7ce8206b588b503aeff94f0f7d4e9fac071cbf17444e4
Instruction ID: e18a193b1e7a7b421e676dac51a8c8e3623d8c4f130335b20c0b2f3a40f4d55d
Opcode Fuzzy Hash: ae450dddf68ffe2e08e7ce8206b588b503aeff94f0f7d4e9fac071cbf17444e4
Instruction Fuzzy Hash: F9214572900200DFCB15DF14C9C0B66BF65FB98328F28C169E8090B256D336D846EEA2

Function 00FCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642349352.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cc004b166feafd32555033890b35d5c3add8b4e5d32f5c5a4b89971bb1c34e
Instruction ID: 9c403de741f4c9494a42032edf58a6befa7c87a85cc01fbfdad5cdd4f3f77153
Opcode Fuzzy Hash: d8cc004b166feafd32555033890b35d5c3add8b4e5d32f5c5a4b89971bb1c34e
Instruction Fuzzy Hash: E421F571584201DFCB14DF18D6C5F1ABBA5FB84324F20C57DD84A4B25AC336D847DA61

Function 00FCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642349352.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528f8ea4a808a5e2266778316450f398a7b9727f633ddf7404f61bf10db1885e
Instruction ID: 556a845e01b30d5577a1bf331f50f22e9718b407c4587c3062c101657756627b
Opcode Fuzzy Hash: 528f8ea4a808a5e2266778316450f398a7b9727f633ddf7404f61bf10db1885e
Instruction Fuzzy Hash: AF214672904201EFDB05DF14CAC1F2ABBA5FB84324F20C67DE8094B292C336D846DA61

Function 00FCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642349352.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92747110116f4c55f311046300e42c842ef0c55a4bdcf0ffb022eddf3cbbb537
Instruction ID: f9f98cf71fcb3facc7558f3d05d768d3e324d6d7ec3659c08fe4b35d60d69240
Opcode Fuzzy Hash: 92747110116f4c55f311046300e42c842ef0c55a4bdcf0ffb022eddf3cbbb537
Instruction Fuzzy Hash: 662183755493808FD702CF24D594B15BF71EB46314F28C5EED8498F6A7C33A980ACB62

Function 00FBD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: ba7d57bdfb6b4553d18fc3f68f8a9d2fc16e5d6646719ce77ea3bf2a40670b02
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: D1219D76904280DFDB06CF50D9C4B56BF62FB94324F24C5A9DD090A656C33AD82ADFA2

Function 00FBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3f09e9e397843732563c07f2d5419ebd0f12b85bb912549c4f721de356fb7245
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D411D676904240CFCB15CF14D5C4B56BF71FB94328F28C5A9D8450B656C336D456DFA2

Function 00FCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642349352.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 5c6c6b25a70af572a843ba09f84a711d0b8355b1d9e75f82c114d5f15ead0a0f
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A011BE75904240DFCB05CF10CAC4B59BB61FB84324F24C6AED8494B256C33AD80ADB51

Function 00FBD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717493a002d75d9e7c1c643c01b46f4f1ee58b1133ceb00630cc66e0e6bad687
Instruction ID: 2da6fbfcb9debb0f59e42b48531bc2da11903a7b0a8f9b34d790d1cbe4819229
Opcode Fuzzy Hash: 717493a002d75d9e7c1c643c01b46f4f1ee58b1133ceb00630cc66e0e6bad687
Instruction Fuzzy Hash: DE01A7714093409AE7104A27CD847E7FF98EF55374F38C56AED094A286DA799840DAB2

Function 00FBD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1642311718.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fbd000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4647a91bcd50cf85d0cf8f09bcab4e12c5ba98a1f4dd486b22e0070f767dd0
Instruction ID: f231b4f5267658f42236f6c43c7911416f41332b9e6775d538f84efde178130c
Opcode Fuzzy Hash: cf4647a91bcd50cf85d0cf8f09bcab4e12c5ba98a1f4dd486b22e0070f767dd0
Instruction Fuzzy Hash: DAF0C2714053409EE7108A16CCC4BA2FFA8EF50734F28C45AED080A286C6799840CAB1

Non-executed Functions

Function 04DDCE38 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41af671268f659df2a44cb1ba1906da2f85ca38a86c5f61a324cc19d83853eb
Instruction ID: e01c8f881d03df767ede5174a76398261b98fa291fb3f480a15195dc91a314b9
Opcode Fuzzy Hash: e41af671268f659df2a44cb1ba1906da2f85ca38a86c5f61a324cc19d83853eb
Instruction Fuzzy Hash: C2C1CA717016009FEB29DB79C8507AAB7FBAFC9704F10846ED246DB294DB35E802CB61

Function 05350040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1646324139.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ecaacb5dd271daa5cdd5003ca05720b3bd97c1338b2ff93de2ed63a77f5d9b0
Instruction ID: 053a6f9d7dfab43ceee4e0aabd24a4a5ff4583865db42358147e093793561884
Opcode Fuzzy Hash: 9ecaacb5dd271daa5cdd5003ca05720b3bd97c1338b2ff93de2ed63a77f5d9b0
Instruction Fuzzy Hash: B612A9B1622B85DBEB10CF65F84E18A7FB2BF45318B504209E2612F6E5DFB8114ACF44

Function 04DD85D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc4f2c429e7acdb61255d573495567f81eab10c3ee13f4018bc5e794c606300
Instruction ID: fcd8fa0e1652f7a61736f468dffc61e7247f5c46531dfb0964af767ac100f2f3
Opcode Fuzzy Hash: 7bc4f2c429e7acdb61255d573495567f81eab10c3ee13f4018bc5e794c606300
Instruction Fuzzy Hash: 61E10C74E1021A8FCB14DFA9C5809AEFBF2FF89304F248169E455AB35AD730A941DF61

Function 04DD6560 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bff449080a697ad203bb257c82962bfbbc3706acb118f94e6b390001389b820
Instruction ID: a886caf07f2fe714f10e62d763de82a73965b6f3a4c64340f639c76eace89165
Opcode Fuzzy Hash: 8bff449080a697ad203bb257c82962bfbbc3706acb118f94e6b390001389b820
Instruction Fuzzy Hash: F7E1DA74E1011A8FCB14DFA9C5809AEFBF2FF89305F248169E415AB35AD731A941CFA1

Function 04DD6DD0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438003a3a34a0ab688a4fa467fe80281f9cd98a2a136cf5d227303e9bdc0fef3
Instruction ID: edbfbc18ec9bcfe8ae457e2e48b1398bc3a51e2764d590ae56c5fd00f2ed4b03
Opcode Fuzzy Hash: 438003a3a34a0ab688a4fa467fe80281f9cd98a2a136cf5d227303e9bdc0fef3
Instruction Fuzzy Hash: 06E1CA74E1011A8FCB14DFA9C5809AEFBF2FF89304F249169E415AB356D731A941CFA1

Function 04DD8F88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6ddcf80d3648e8f7290f07647321050bc21a4b221db05f05e154a783e0c09a
Instruction ID: 65bdb3f6a80d7f1387d999d476bd6cfce710209d10c460ddebe61ad973596487
Opcode Fuzzy Hash: fb6ddcf80d3648e8f7290f07647321050bc21a4b221db05f05e154a783e0c09a
Instruction Fuzzy Hash: D6E1EAB4E1011A8FCB14DFA9C5909AEFBF2BF89304F248169E415AB356D731A941CFA1

Function 04DD6998 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a081ef347dd3807fde001a3ba710cc68dbdd92c0b4734fe5bc4d530d3c7426db
Instruction ID: a14daab7d566238c3a74b7b95787b007ca73fd7fce2ccee4a20ff92dc2e748c0
Opcode Fuzzy Hash: a081ef347dd3807fde001a3ba710cc68dbdd92c0b4734fe5bc4d530d3c7426db
Instruction Fuzzy Hash: 45E1FB74E1011A8FCB14DFA9D5809AEFBF2FF89304F248169E415AB35AD731A941CFA1

Function 0136D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1643286788.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1360000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a60c6fd81fc89eb47aca762ddce58213fae4c414eb0a9d9fcbe2dbc0c18cad
Instruction ID: ea5d8476f95d9a7d92433e28de575612bd649297319d2a830e6a342e040ce169
Opcode Fuzzy Hash: f2a60c6fd81fc89eb47aca762ddce58213fae4c414eb0a9d9fcbe2dbc0c18cad
Instruction Fuzzy Hash: F0A1A232E10216CFCF05DFB8D8545DEBBBAFF85304B14856AE901AB269DB71E915CB40

Function 05350006 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1646324139.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5350000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9319f37a9e06ffd83430b16291d86122b954765d8205b985107c8d12aec2fd
Instruction ID: 7dc81ec558e5da9d64b5a956509e07e2a2e1b28b1eef11e998f4e3726d0f04de
Opcode Fuzzy Hash: 0f9319f37a9e06ffd83430b16291d86122b954765d8205b985107c8d12aec2fd
Instruction Fuzzy Hash: 6DC13BB1621B869BEB10CF25F84E18A7FB2BF45324F514209E1616B6E5DFB8144ACF44

Function 04DD6548 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068bd153ed3efcf63aa228a9a5c412d5c22a22d2d61df825b4f9ce161a8b971c
Instruction ID: 5475746cb4370f491a4b70d74665ff83d360061f4547ffc4e4f62cf316102be3
Opcode Fuzzy Hash: 068bd153ed3efcf63aa228a9a5c412d5c22a22d2d61df825b4f9ce161a8b971c
Instruction Fuzzy Hash: 11513E75E1421A8FDB14DFA9C9805AEFBF2BF89304F14C1AAD418A7356D730A941CFA1

Function 04DD6988 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f736d3334a9ab8796c0059f0020b294c535acfa4ff023162548f3e4f71e89e9
Instruction ID: 8ea6781c129ae1a9238a705e0f3b44661141593b81d589dc0ba1a7cf54048792
Opcode Fuzzy Hash: 5f736d3334a9ab8796c0059f0020b294c535acfa4ff023162548f3e4f71e89e9
Instruction Fuzzy Hash: 7E511B75E1521A8FCB14DFA9D5805AEFBF2BF89304F24C16AD418A7316D730A941CFA1

Function 04DD8F77 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1645945112.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4dd0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4bc4e48f03bb732e38724ee6cac0461b73b104a7dd98b243ca0b71f5a3335d
Instruction ID: 75e8d64c618d55308b43976d0d9de41e9d466ddae884498a8035310567cab04e
Opcode Fuzzy Hash: dd4bc4e48f03bb732e38724ee6cac0461b73b104a7dd98b243ca0b71f5a3335d
Instruction Fuzzy Hash: D7513AB4E1421A8FCB14DFA9D5405AEFBF2BF89300F24C16AD418A7316D731A941CFA0

Analysis Process: PRE ALERT Docs_PONBOM01577.xlsx.exePID: 7180, Parent PID: 4464COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	17

Executed Functions

Function 06A13018 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A1374C
$^q, xrefs: 06A13723
$^q, xrefs: 06A13740
$^q, xrefs: 06A13717
$^q, xrefs: 06A13764
$^q, xrefs: 06A13770

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 3f31105b65561770ad193be3c747ffc23a67698d54fd1f8a0e62a9d14d31de55
Instruction ID: 82728fa281e91735c397981cdf86154d7f975ae695d313c655894eb89005984a
Opcode Fuzzy Hash: 3f31105b65561770ad193be3c747ffc23a67698d54fd1f8a0e62a9d14d31de55
Instruction Fuzzy Hash: C2322031E1061ACFDB54EF75C9945ADB7B6FF89300F10C6AAD409AB254EB30A985CB81

Function 06A178F8 Relevance: 3.0, Strings: 2, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A17C35
$^q, xrefs: 06A17C41

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 4b42a6f3c505f439d90a2d8a1e834508b97194e563f364706429f8754c57d269
Instruction ID: 8fea8b271e62bdb5ff2ab703653a7b52d1a65b4db6c43ba54656b65a4e93a57b
Opcode Fuzzy Hash: 4b42a6f3c505f439d90a2d8a1e834508b97194e563f364706429f8754c57d269
Instruction Fuzzy Hash: 76028C30B002168FDB54EF69D590AAEB7E2FF84304F248529D41A9F395DB31ED46CB91

Function 06A12340 Relevance: 1.0, Instructions: 1014COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8cf7df8d38370968c73cb6efafdb9de8efd7c489a5d26659445e3a5e437ae9
Instruction ID: 9258278966103d75131b016cd31c47366e2aa7a355c757ad040facaf0549ae8b
Opcode Fuzzy Hash: be8cf7df8d38370968c73cb6efafdb9de8efd7c489a5d26659445e3a5e437ae9
Instruction Fuzzy Hash: 59924634A002048FDB64EB68C584B9DB7F2FF45314F5484A9D45AAF365DB35EE86CB80

Function 06A16160 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37792c1574d8ccd8ba057015f29b46e71403db3a32e069874876583a11becdf
Instruction ID: 79e241f9c380f51b45fabca7c1ab649a27e9ac012e1f5df42398d589d58574e2
Opcode Fuzzy Hash: d37792c1574d8ccd8ba057015f29b46e71403db3a32e069874876583a11becdf
Instruction Fuzzy Hash: 0462AE30B002188FDB54EB68D594AADB7F2EF88314F149569E806EF395DB35ED42CB80

Function 06A1C0F8 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309a55ba573815fd0aa827cd52ffc2d31cb555d378db30f3e9ac0ace4022c74e
Instruction ID: 027f63d86954cd5b3a0f3f953b1dc637f288ad249d3f9cab5020ff83c92fb3c4
Opcode Fuzzy Hash: 309a55ba573815fd0aa827cd52ffc2d31cb555d378db30f3e9ac0ace4022c74e
Instruction Fuzzy Hash: 2F329F35B40209DFDB54EB68D990BAEB7B2EB88324F108529D406EF355DB39DC428B91

Function 06A15150 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126bae3324fc009837f665c6f3171eb7522b84cd885a7a7c6921cac9194b6fde
Instruction ID: 82c889afb39ba86e95e4ea3c06a48b2535c9a8d566ae6e816312c05b6113d37d
Opcode Fuzzy Hash: 126bae3324fc009837f665c6f3171eb7522b84cd885a7a7c6921cac9194b6fde
Instruction Fuzzy Hash: 5812F271F002159FDB65AF68C8907AEB7B6EF85310F20846AD84ADF381DA34DC46CB91

Function 06A1AD90 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb5e3ee774e65bbca3327dd49f86ef7425f0e739990c823a2fb23c1cb1293a4
Instruction ID: 48ffb2b97d874ccf0eca445692a09c4483865dfd9fdc30919c74ab6a45bb161d
Opcode Fuzzy Hash: ebb5e3ee774e65bbca3327dd49f86ef7425f0e739990c823a2fb23c1cb1293a4
Instruction Fuzzy Hash: AB227130E112098FDF64EB68D5907AEB7B6FB49310F208926E459DF391DA35DC82CB61

Function 06A1A838 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A1A959
$^q, xrefs: 06A1A9DB
$^q, xrefs: 06A1AA10
$^q, xrefs: 06A1A965
$^q, xrefs: 06A1A9B8
$^q, xrefs: 06A1A9E7
$^q, xrefs: 06A1AA04
$^q, xrefs: 06A1A9AC

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 49461007392ae33b575f629966ac8a217c1f76c61968a96d3e8f485a0736c2a6
Instruction ID: 95e86585b4d11d06d1b59ced055ef9ac8a14360c35108b128cb6920f1a467d54
Opcode Fuzzy Hash: 49461007392ae33b575f629966ac8a217c1f76c61968a96d3e8f485a0736c2a6
Instruction Fuzzy Hash: A3E16D30F1120A8FDB65EF69D9906AEB7B2FF85304F208529D50AAF355DB31D846CB81

Function 069C6B19 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069C6BA6
GetCurrentThread.KERNEL32 ref: 069C6BE3
GetCurrentProcess.KERNEL32 ref: 069C6C20
GetCurrentThreadId.KERNEL32 ref: 069C6C79

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8ecdc9cd0ce7062ab721deb2b8078420a2838bc9915b28e704b49d3ff2dcf2e8
Instruction ID: a3d461ac03396274dfc6f43c523d5c1237f0568e9068223eb62510f2b19d4ac2
Opcode Fuzzy Hash: 8ecdc9cd0ce7062ab721deb2b8078420a2838bc9915b28e704b49d3ff2dcf2e8
Instruction Fuzzy Hash: F65176B0900309CFCB44DFAAD948BDEBBF1EB48314F208059E009A7360D735A984CB66

Function 069C6B28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 069C6BA6
GetCurrentThread.KERNEL32 ref: 069C6BE3
GetCurrentProcess.KERNEL32 ref: 069C6C20
GetCurrentThreadId.KERNEL32 ref: 069C6C79

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dd7dda14ab0960983566538e75c60af3f9a3577c6927538ee453456db878eedc
Instruction ID: 8332857d289477751007290b574a68426b783f936f66618cce26eef61a1d9daf
Opcode Fuzzy Hash: dd7dda14ab0960983566538e75c60af3f9a3577c6927538ee453456db878eedc
Instruction Fuzzy Hash: 505145B0900309CFDB54DFAAD948B9EBBF1EB48314F208469E01AA7760D775A944CB66

Function 06A18CC8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A18D56
$^q, xrefs: 06A18D4A
$^q, xrefs: 06A18D0F
$^q, xrefs: 06A18D1B

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3fe3a8d2538e7a7b72b6d6c79d75c3e68efd7955118472e3c4e3024850c83836
Instruction ID: 0cca582a4c4170d9eab26197f879cc428b7d8298d63eb72f947dece6d08610aa
Opcode Fuzzy Hash: 3fe3a8d2538e7a7b72b6d6c79d75c3e68efd7955118472e3c4e3024850c83836
Instruction Fuzzy Hash: 2F914F30B1021A9FDB54EF65D9507AEB3F6AFC9204F10856AD41AEB384EB30DD468B91

Function 06A1CEC8 Relevance: 4.6, Strings: 3, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A1D2D3
$^q, xrefs: 06A1D2BF
$^q, xrefs: 06A1D2C7

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 6cd121a24cf1517d1bb33ec4c46010ec83dc883b21e3b46419e84e6e77aedd21
Instruction ID: 1f77441229c0eb791765208b987c2a8105ba6875cd1f80c6e8c62c3a20e49930
Opcode Fuzzy Hash: 6cd121a24cf1517d1bb33ec4c46010ec83dc883b21e3b46419e84e6e77aedd21
Instruction Fuzzy Hash: 3E622E31A40206DFCB55EB68D590A5EB7F2FF84304F248A69D0099F759EB71ED4ACB80

Function 06A14718 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06A14845
fcq, xrefs: 06A14E25
\Ocq, xrefs: 06A148CF

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: dc536dc9be6a2b2d93066ebcb698af71dfd3a962df19fb02daac7da6a6da64cf
Instruction ID: 8886e54d762279a5261be88edb17e2997a7470ef1b7a491b17ed0c8825b14ebc
Opcode Fuzzy Hash: dc536dc9be6a2b2d93066ebcb698af71dfd3a962df19fb02daac7da6a6da64cf
Instruction Fuzzy Hash: 17617030F002199FEB55AFA9C8547AEBBF6FF88700F208429D10AAF395DB754C458B91

Function 06A18CB7 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06A18D4A
$^q, xrefs: 06A18D0F

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: feb08fd3a833e1b4274b00276e97f52d29121013ab8f13372fda9cf933fb4492
Instruction ID: b41376ea0f3ad635ef7895e7f1caa29e9aa5d9079cc6bb430f0d6d384dffe0b2
Opcode Fuzzy Hash: feb08fd3a833e1b4274b00276e97f52d29121013ab8f13372fda9cf933fb4492
Instruction Fuzzy Hash: 90515430B102169FDB54EF75D950B6F73F6ABC8644F10856AC41ADB384EB34DC428B95

Function 069C328D Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C33AA

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9120e1d9ab0f25cb26df70a6f6911ed30d02cd8fdcf2be29b910ec8d19b217c3
Instruction ID: 27a8912f1ef3e331cb40a485ce05ed759267a6322ed6f6a0fbd155729c30e223
Opcode Fuzzy Hash: 9120e1d9ab0f25cb26df70a6f6911ed30d02cd8fdcf2be29b910ec8d19b217c3
Instruction Fuzzy Hash: 6151B1B1D00309EFDB14CFA9C884ADEBBB5BF48710F64812AE419AB210D7759985CF95

Function 069C3298 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069C33AA

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 10c5be766c8d10ae6a03f7699d0bc5f34d9123699c29fda57d0aec716a9afa22
Instruction ID: c7774c6cfca3707c641f5075364f9fd54aae9fa76536d9c07e85455dddb09bdf
Opcode Fuzzy Hash: 10c5be766c8d10ae6a03f7699d0bc5f34d9123699c29fda57d0aec716a9afa22
Instruction Fuzzy Hash: 3541B0B1D00309DFDB14CFAAC984ADEFBB5BF48310F64812AE419AB210D7759945CF91

Function 069C6ADC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069C7CC9

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a32c8c4492d06468c92e2b8a5fae1888ca8e52fa8721dec90273c0af4f708d02
Instruction ID: 1fcefe2b5441e6b067e93725fa9945ba248e9da2cacca62e13fcb52906790d80
Opcode Fuzzy Hash: a32c8c4492d06468c92e2b8a5fae1888ca8e52fa8721dec90273c0af4f708d02
Instruction Fuzzy Hash: 1B4129B4900309CFCB54CF99C488AAABBF5FB88324F24C859D519AB761D734A941CFA1

Function 02C077E4 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02C086C0

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: b62875715b0f42e821afa4c7cf8d75237da31365bd316a65cb0d30e529f5a6ed
Instruction ID: 8d4fbfc0bd4cf7c30cae81ae76a49e4940c57f0023bb14003aa81708c35205c1
Opcode Fuzzy Hash: b62875715b0f42e821afa4c7cf8d75237da31365bd316a65cb0d30e529f5a6ed
Instruction Fuzzy Hash: 20319FB1C053589FCB01CFA9D884ADEBFF4FF89320F15819AD858AB291C7345944CBA5

Function 069C8944 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069C89D8

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 03e2ddd8feff2e7ac5b227f6a1848317a2996ab922f283fdab6f8a0c4dfe7a4d
Instruction ID: 9d3f1305533a67f6a98da8befb6a8823aae410f64e0dc19b58f68aa5f8f62a1c
Opcode Fuzzy Hash: 03e2ddd8feff2e7ac5b227f6a1848317a2996ab922f283fdab6f8a0c4dfe7a4d
Instruction Fuzzy Hash: D73102B0D01249DFDB54CFA8C984BDEBFF5AB48314F248059E408BB294DB746945CF55

Function 069C8950 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 069C89D8

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f2e88260d1e8ac6d4154c21eab9725a472abdb85bf01a0ce6984cba18ebbd69e
Instruction ID: d9b6dd48ff1a072bb41a6ffbad16ef8fad3ab80e13a20de0d4e5b52223b072de
Opcode Fuzzy Hash: f2e88260d1e8ac6d4154c21eab9725a472abdb85bf01a0ce6984cba18ebbd69e
Instruction Fuzzy Hash: F331E0B0D01208DFDB14CF99C984BCEBBF5AB48324F248059E404AB294DB74A945CFA6

Function 069C6D68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C6DF7

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 782fec0c6cd73f0d269e5cb3187d9a86dcb120f89b1de6901b5fccbbbe85e68a
Instruction ID: 2d0229632fea8f8261c1f2a7ee4773da4bd70c761445a56d72d4eaf9d64903b4
Opcode Fuzzy Hash: 782fec0c6cd73f0d269e5cb3187d9a86dcb120f89b1de6901b5fccbbbe85e68a
Instruction Fuzzy Hash: 5B2105B5900248EFDB10CFAAD984ADEFFF8EB48320F14841AE954A3310C374A940DFA5

Function 02C07808 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02C086C0

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: b01fd50881e3add27381ab5d410c6900d5dd0ac1d3bbca21bc72c731258bc429
Instruction ID: 4c1539171108c72743de36eeaaff9f1447dc0e658f05ab8c642dd025e4faae6d
Opcode Fuzzy Hash: b01fd50881e3add27381ab5d410c6900d5dd0ac1d3bbca21bc72c731258bc429
Instruction Fuzzy Hash: 702125B6C01218DFCB10CF99D884ADEFBF5FB88310F15815AE818AB244C7759A40CBA4

Function 02C08628 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 02C086C0

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 9da11b67062fd19a0e05e7058d36c380b732d44f1c1db64e46fa6a67b225104d
Instruction ID: 32a54a1a43f817882af6879902293b6af842bc8269a1f1b8ac2137be821c9e83
Opcode Fuzzy Hash: 9da11b67062fd19a0e05e7058d36c380b732d44f1c1db64e46fa6a67b225104d
Instruction Fuzzy Hash: 882125B6C01208DFCB10CF99D484ADEFFB1BB88310F25815AE818AB354C3359A41CFA4

Function 069CA708 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CA78B

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: de2de0b60ddb94250c433905e136c5422840033b47f6b7d6a9c6055d8d51b8b5
Instruction ID: 703544495c8abbaead64fa9763383911f37ef9508b32120764983406743b61ad
Opcode Fuzzy Hash: de2de0b60ddb94250c433905e136c5422840033b47f6b7d6a9c6055d8d51b8b5
Instruction Fuzzy Hash: 682115B5D002099FCB54CFAAC944BDEFBF9FB88320F108429E459A7250C774A944CFA5

Function 069C6D70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069C6DF7

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4c2ec623ad7e8a15f3a028c205dbdb4411dd080dc32f8d103d6a330153616610
Instruction ID: 21b1b554b9fbe176d6b67d630e8bb2fe1f3aa098dece352bab9593cadb556eb4
Opcode Fuzzy Hash: 4c2ec623ad7e8a15f3a028c205dbdb4411dd080dc32f8d103d6a330153616610
Instruction Fuzzy Hash: AC21B0B59002589FDB10CFAAD984ADEFBF8EB48320F14841AE958A7250D374A954CFA5

Function 069C7D5C Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C8315), ref: 069C839F

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b54dd16285304c9a8a29e712dfa5b5ac9eb35e23f1a4fd2879dca77f36459a34
Instruction ID: a3e86823adf166a3ecfc5c6672aca0dbf9ad3a1e01781ae77836abab17274690
Opcode Fuzzy Hash: b54dd16285304c9a8a29e712dfa5b5ac9eb35e23f1a4fd2879dca77f36459a34
Instruction Fuzzy Hash: 51218EB18093988FCB11DFADC954BDEBFF4EF4A320F15409AD494A7251C374A944CBA9

Function 069C21D3 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 069C2256

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 449e0a6b1370ed03cb67bcf5f522d3d1d00cb6a110e023b8c7bea6584192d516
Instruction ID: de687ec3f68444a00ebc29275730d02934281ec50119c66c2e5f4569f14079e3
Opcode Fuzzy Hash: 449e0a6b1370ed03cb67bcf5f522d3d1d00cb6a110e023b8c7bea6584192d516
Instruction Fuzzy Hash: B8213AB1C053888FCB15CFAAC844ACEBFF4EF49220F14859AD458A7651C3746545CFA6

Function 069CA710 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 069CA78B

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9acdbb55a2108983026a445e4771e57aafa5c67392994d4368860dd89fcf7a9b
Instruction ID: 598049fc6821c26c3a3bfcb24a61393dcede60f38c89b63777dfb72cec5f9aa3
Opcode Fuzzy Hash: 9acdbb55a2108983026a445e4771e57aafa5c67392994d4368860dd89fcf7a9b
Instruction Fuzzy Hash: DB21E5B5D002099FCB54DF99C944BDEFBF5BB88324F108429D459A7250C774A944CFA5

Function 02C08058 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02C080D0

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ce09f0e67b84105fd561bf33a4dd328a38ed1a6648aa3a541df2a24d139a2b9d
Instruction ID: 8b75ed54d23b1b4fac952a9e56152facc532a3e2a25d490460c9dac7f6b668d7
Opcode Fuzzy Hash: ce09f0e67b84105fd561bf33a4dd328a38ed1a6648aa3a541df2a24d139a2b9d
Instruction Fuzzy Hash: D52138B1C00659CFCB14CF99D544BEEFBB4BB48324F118269D458B7250D374AA40CFA5

Function 02C0F412 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02C0F47F

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1638cb2cd121b0cfedf01c384d72123f58972ec68cd7e09dc529c74fd1cf454b
Instruction ID: 38a829122408eb2a71092598e9ed4054b263ce34a71387edb09524603ff01a90
Opcode Fuzzy Hash: 1638cb2cd121b0cfedf01c384d72123f58972ec68cd7e09dc529c74fd1cf454b
Instruction Fuzzy Hash: 291114B1C006599BCB10DF9AC544BDEFBF8BB48324F15816AE818B7250D778A944CFE5

Function 02C08060 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 02C080D0

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b1ff3b64d2fffd42638488e32605f70c7ec4cc690f202c26b1ebe3b126e22f85
Instruction ID: 3217aac7487aec0d24cdab981979a06c508c594bd41fdbd3e3a53e7bb94ad53e
Opcode Fuzzy Hash: b1ff3b64d2fffd42638488e32605f70c7ec4cc690f202c26b1ebe3b126e22f85
Instruction Fuzzy Hash: C11133B1C0061A9BCB10CF9AC544BDEFBB4BB48324F11826AD858B7250D378AA40CFE5

Function 02C0F418 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02C0F47F

Memory Dump Source

Source File: 00000002.00000002.4098752200.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c00000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: edb105c2b3c9c3d411aed313a6c3679463897547e7c345be96c393a71148a66d
Instruction ID: 3fa1efcddf0821d31bb29591939b776400f603fb6acb1c799524319f1d7b1278
Opcode Fuzzy Hash: edb105c2b3c9c3d411aed313a6c3679463897547e7c345be96c393a71148a66d
Instruction Fuzzy Hash: 9E1123B1C002699BCB10CF9AC544BDEFBF4BF48320F15816AD818B7250D778A940CFA5

Function 069C0804 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 069C2256

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 465a0d95b8b95dc8909385c720a4c0e1f3b0be1430ac661ddb3cef7029bb0f69
Instruction ID: 45811c8b7c743218a5302e5ef5f24d003a354f4c2059335e016c425db858108e
Opcode Fuzzy Hash: 465a0d95b8b95dc8909385c720a4c0e1f3b0be1430ac661ddb3cef7029bb0f69
Instruction Fuzzy Hash: 311104B5C003498FCB14DF9AC444ADEFBF8EB49224F10846AD419B7610C375A645CFA5

Function 069C8338 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C8315), ref: 069C839F

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d789ebf768a9ca1f9d74c5db5c7aa14c6dadc238a94b9777078d8fbb6a25076f
Instruction ID: 0698f65471fa363015fe0504ecdfd0435847546f892d820857737cd33db6d95f
Opcode Fuzzy Hash: d789ebf768a9ca1f9d74c5db5c7aa14c6dadc238a94b9777078d8fbb6a25076f
Instruction Fuzzy Hash: E01145B5800248DFCB10CF9AC844BDEFFF8EB48320F208459E419A7650C374A940CFA5

Function 069C7FB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069C885D

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 25600d10af876207bef13aad3c9029224598950585b9bdb9465ab85f563bd8db
Instruction ID: dea6702f9aba8afa49b95fd4e32ca0a5f6a4213a1d8902969208a5841326f9ef
Opcode Fuzzy Hash: 25600d10af876207bef13aad3c9029224598950585b9bdb9465ab85f563bd8db
Instruction Fuzzy Hash: 781103B19003488FDB20DF9AD544BDEFFF8EB48324F208459E519A7610C378A944CFA5

Function 069C7D7C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,069C8315), ref: 069C839F

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d6dd1093f220bb43443f43a5f3a759b169a6d64f8758f3806283eac250136204
Instruction ID: 5ba7aa8794625cb5be5d2103fbc27f26a3febfa7ee9b84cefe57661b553d4539
Opcode Fuzzy Hash: d6dd1093f220bb43443f43a5f3a759b169a6d64f8758f3806283eac250136204
Instruction Fuzzy Hash: 8D11F2B1900248CFCB50DF9AC544BDEFFF8EB48324F208459E559A7650C375A944CFA5

Function 069C8801 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 069C885D

Memory Dump Source

Source File: 00000002.00000002.4116338815.00000000069C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_69c0000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4a6660526f61aa4e2e9cc1110715e87ddb3ed38837efce56c04dc9d0e727ce31
Instruction ID: c0063b2efb5b627246b0b8b74a86efa7471fd58f4589c770863158806fba795b
Opcode Fuzzy Hash: 4a6660526f61aa4e2e9cc1110715e87ddb3ed38837efce56c04dc9d0e727ce31
Instruction Fuzzy Hash: 2A1103B59003498FDB20DFAAD544BDEFFF8EB48320F248459E559A7610C374A584CFA5

Function 06A1DA3D Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A1DB99

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b7249dd15b1de555958ab28e7b962b317696f1b4ae5c65e354b74b60f4c879ac
Instruction ID: 9932544c0c2a84b8185a56f8f3e737766107b2908475f3eeaddb5e03def649c6
Opcode Fuzzy Hash: b7249dd15b1de555958ab28e7b962b317696f1b4ae5c65e354b74b60f4c879ac
Instruction Fuzzy Hash: D741CF71E0420A9FDB65FFA5C45069EBBB6BF85300F104929E406EF240DB70E946CB91

Function 06A14708 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06A14845

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: d818e2de63bc52765a186bef620ed9b83a3b4373ee2b4d77b3c207f623f56a07
Instruction ID: d1649a311aea1cc413e4977c6c568e3f8c8cd2ed8d3c69a388760533e93fed53
Opcode Fuzzy Hash: d818e2de63bc52765a186bef620ed9b83a3b4373ee2b4d77b3c207f623f56a07
Instruction Fuzzy Hash: 3F415F70F002199FDB559FA9C854BAEBBF7FF88700F208529E106AB395DA718C058B91

Function 06A121B5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A12303

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 87de7bdf6be4128ed32b923a9f5dd4745ae60b28e4e9d345743efc38107f2c8a
Instruction ID: 5ea31a14e345a1864e39d741191f2b263a213dfa465b9478174bbe5b889922bf
Opcode Fuzzy Hash: 87de7bdf6be4128ed32b923a9f5dd4745ae60b28e4e9d345743efc38107f2c8a
Instruction Fuzzy Hash: D131F030B102028FDB59AB74C56476EBBE2AF89204F1485B8D006DF385EE35CD86CBA5

Function 06A121C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06A12303

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e6f8099623af4134f61fab9b7576872c1e340e771382f4f99f01193fea945b88
Instruction ID: 83585636dd9d317fac8ca71687c189fd548a3f79378a14db0580829f90dd884a
Opcode Fuzzy Hash: e6f8099623af4134f61fab9b7576872c1e340e771382f4f99f01193fea945b88
Instruction Fuzzy Hash: DE31E030B102018FDB59AB74D51476EBBE7AB89200F208578D406DF384EE75DD86CBA5

Function 06A1FAE0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

|, xrefs: 06A1FB40

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: dc4807cd9a747b2c89a3abc69ee79c91e0c0eef517fd0457ba322862d5aaa01a
Instruction ID: 3d035c4fe8b244403146194c125cdc138016cfd7aae3ab750d89fffbb52fabc8
Opcode Fuzzy Hash: dc4807cd9a747b2c89a3abc69ee79c91e0c0eef517fd0457ba322862d5aaa01a
Instruction Fuzzy Hash: 9C117F75B002149FDB44AB78C814BAE77F6AF4C710F148469E60AEB3A0DB359D018B94

Function 06A1FAF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06A1FB40

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 693bfef2981dbf03f0214b5bb787d97b31aab381e2d960578c71839c49f0125a
Instruction ID: 7cb464b8992452331b3ee05893a4084b164dbfb92b25b0deadece96530295c6f
Opcode Fuzzy Hash: 693bfef2981dbf03f0214b5bb787d97b31aab381e2d960578c71839c49f0125a
Instruction Fuzzy Hash: 4D115B70B042249FDB44AF78C814B6E7BF2AF8C710F148469E60AEB3A5DB359901CB81

Function 06A15D58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb6a06fb67d8c17950f3569c927e2128838193be295e83e3921a062303d0eb0
Instruction ID: 3e93af74ae67bc6e48715d189473fc6d8ab7cbecd4f9dd7dcffbd1ae7fc8577f
Opcode Fuzzy Hash: fdb6a06fb67d8c17950f3569c927e2128838193be295e83e3921a062303d0eb0
Instruction Fuzzy Hash: 5861B1B1F000114FCB55AB7EC88866FAAD7AFC5614B15443AD80EDF364EE65DD0287D2

Function 06A13E51 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3094ad7b6304685c40b5d7a0a62bd50f3df80625d9cdee2ab29bb6b1037c6acc
Instruction ID: a954e1dfa1abf7a4abc648005140b1811c63df762ecc1f1bed7eca11bac57538
Opcode Fuzzy Hash: 3094ad7b6304685c40b5d7a0a62bd50f3df80625d9cdee2ab29bb6b1037c6acc
Instruction Fuzzy Hash: 8E814D30B002099FDF54EFA9D5546AEB7F2AF89304F148529D40AEF394EB74DC428B91

Function 06A1416C Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8357cf0883aa3258c12920011434e85833d70655adcb7c33129d7fc3408de81a
Instruction ID: 8a0fb992866a6976325d0e55ea6d0f6d4e0df182caef5eb98a7219392477fd4c
Opcode Fuzzy Hash: 8357cf0883aa3258c12920011434e85833d70655adcb7c33129d7fc3408de81a
Instruction Fuzzy Hash: 2E913E34E102198FDF60DF68C890B9DB7B1FF89304F208695D549AB295DB70AA86CF51

Function 06A14180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c590f1675489e6278e5e6a93d8fda47c9c454a2b6d302169ed6062cab12f787
Instruction ID: f9406047603e887c425e0f4432dd962bc31ddd461b0f114127e157b66ba75c57
Opcode Fuzzy Hash: 1c590f1675489e6278e5e6a93d8fda47c9c454a2b6d302169ed6062cab12f787
Instruction Fuzzy Hash: 89914E34E102198BDF60DF68C890B9DB7B1FF89304F208695D549BB295DB70AA86CF51

Function 06A1EA90 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3d371d6984cbcea363a4aa0f11cfcd6a2f8c7bbf704c61aeeb48d99adaaa4f
Instruction ID: 1c5362e4a3a5d5c4829877bc82d55f85e3a9ca5c0927b7021f9057fd70697bf6
Opcode Fuzzy Hash: 2a3d371d6984cbcea363a4aa0f11cfcd6a2f8c7bbf704c61aeeb48d99adaaa4f
Instruction Fuzzy Hash: 23713A71A012099FDB54EFA8D990A9EBBF6FF88300F248429E405EB355DB30E846CB50

Function 06A1EAA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeeffed15d341c2ba77e5c7fc32562189f09a6a15cd4a5cfe551c30d784d31e1
Instruction ID: 69609090d223df623801b51bc8d16fb1a7f22ab33d579253fb209e97ba87782d
Opcode Fuzzy Hash: eeeffed15d341c2ba77e5c7fc32562189f09a6a15cd4a5cfe551c30d784d31e1
Instruction Fuzzy Hash: CD711931A002099FDB55EFA9D990A9EBBF6FF88304F248429D415EB355DB30ED46CB50

Function 06A1F720 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f007c39a8ba725de06e816b347fd7bda27df5e48974683f609e7f187667f8ef
Instruction ID: e8546a866606b2c081bb015762d62f48a9b8168568b6182421f3d96b53e05d59
Opcode Fuzzy Hash: 5f007c39a8ba725de06e816b347fd7bda27df5e48974683f609e7f187667f8ef
Instruction Fuzzy Hash: FE51C031E01145EFDB54BF78E8546ADBBF2EB84315F10886AE10ADF250DB319946CB91

Function 06A1F4D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931c1d673b5f72d8c66cb92f737f9c6ed49c772ec1c0b592a030d248f2fb074c
Instruction ID: 2cea22968377f5c9ea580d8b267be2300960809c67c33ba13807ab50bd13842f
Opcode Fuzzy Hash: 931c1d673b5f72d8c66cb92f737f9c6ed49c772ec1c0b592a030d248f2fb074c
Instruction Fuzzy Hash: 6751B331B10294DFEF646B6CD99476F269ED789310F20482AE50ADF3A4DA39CC468792

Function 06A1F4E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f18505b4a165232dfe7e3fa09dd3ef4c4e6b12e544990462ff8b9d57eda486a
Instruction ID: 89b4d4f0f7d1d4a01faaf14e55ea1f976e4a03662144451221cd9474a1d5ea36
Opcode Fuzzy Hash: 5f18505b4a165232dfe7e3fa09dd3ef4c4e6b12e544990462ff8b9d57eda486a
Instruction Fuzzy Hash: 2851A531B10294DFEF647B6CD99472F269ED789350F20482AE10ADF3A4DA79CC458792

Function 06A14FC0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd67da28b259b05a5fe0e648c06e53d6f3240930141458d3067fcf0682d7cc7
Instruction ID: 27bfb4494313c801c80c1b2c1e8663fbe7a647a0fcd9fbbc9ed61cca976afd10
Opcode Fuzzy Hash: 0cd67da28b259b05a5fe0e648c06e53d6f3240930141458d3067fcf0682d7cc7
Instruction Fuzzy Hash: 2C414BB2E006099FDF70DFA9D8C0AAFFBF6EB84314F10492AD156DB640D731A9458B91

Function 06A12078 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24c54a1ac940e0e24066613f14ec61e7b4017a470e050c4620f997ea9f1d75a
Instruction ID: db2ea51f37faf1bb1062e9ee1bc4b212d5db2657c6fd548c262835090c6b1993
Opcode Fuzzy Hash: e24c54a1ac940e0e24066613f14ec61e7b4017a470e050c4620f997ea9f1d75a
Instruction Fuzzy Hash: F2317C31E002059FCB45DFA4D85469EBBF2FF89300F148929E916EB750DB31E982CB50

Function 06A12088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11fa36163a11619feefc48d1cc6601e8ecefa9a72bd5bc3aaf0b9b124af131e
Instruction ID: 9b2ed1d4c80882b3062d4f689176e777eb7eafddae71d1168aac8fab5ef1d7da
Opcode Fuzzy Hash: b11fa36163a11619feefc48d1cc6601e8ecefa9a72bd5bc3aaf0b9b124af131e
Instruction Fuzzy Hash: 18315A31E002099FCB49DFA4D85469EB7F2FF89300F148929E906EB740DB71E982CB90

Function 06A13A59 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa02c4812f7a598df3ea49037a01ecc45dec0e73e833c8eacea905ae15fd79a
Instruction ID: 81d1b6a0fbbe1cee56695df3ff7dbdac722ad8b15738ed2adc530c0838593aeb
Opcode Fuzzy Hash: 4aa02c4812f7a598df3ea49037a01ecc45dec0e73e833c8eacea905ae15fd79a
Instruction Fuzzy Hash: 38219171F012159FDF50EF69E880AEEB7F5AB48710F108129E509EB351E735D9018B91

Function 06A13A68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7313b70ede390a4157e0c9bdc74eeac09a357f31c4b871abdb9a522a2c236e67
Instruction ID: 27d4d40a3131b0bc923bf8f0c9ba93d932f725772086973c6e266b1d17714048
Opcode Fuzzy Hash: 7313b70ede390a4157e0c9bdc74eeac09a357f31c4b871abdb9a522a2c236e67
Instruction Fuzzy Hash: 95218CB5F012199FDF40EF69D880AAEBBF5FB48710F108129E919EB384E731D9018B91

Function 06A19E78 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617763926e90555c4ac362066c02dc6f733bcb724dbc4478f1bf75049a4ccc51
Instruction ID: c3ca4e7d1e0ef9257d75e61328f01ca75661897bbdddd48a67ac13df9086799a
Opcode Fuzzy Hash: 617763926e90555c4ac362066c02dc6f733bcb724dbc4478f1bf75049a4ccc51
Instruction Fuzzy Hash: 9321A535B052159FDB51EB78D4606AFB7F6FB4A214F108469E40ADF380DA31DE42C791

Function 0132D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4098281631.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_132d000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d53c82dbf1b559d5f0160f4d5b059043f218e1dd47eeb48aa32014e6f520e7c
Instruction ID: 7fd122cd1f8f4ed91fb526aba2a4107ddd4afeca66ae68bb70402aa6e1fc8108
Opcode Fuzzy Hash: 7d53c82dbf1b559d5f0160f4d5b059043f218e1dd47eeb48aa32014e6f520e7c
Instruction Fuzzy Hash: 18212671504204DFDB15EF58D9C0B26BFA5FB84318F24C66DD9494B366C33AD847CA62

Function 0132D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4098281631.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_132d000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcb2f17789ab71a82329aff9ab6a42eba8aebba582f89aa7f919a66b082da2e
Instruction ID: 36501864b5b696a2a070487d5ad8af7ec47c70992b3ebfcc99b8b457193b8b0b
Opcode Fuzzy Hash: 1fcb2f17789ab71a82329aff9ab6a42eba8aebba582f89aa7f919a66b082da2e
Instruction Fuzzy Hash: 7E210471604244DFDB45EF58C9C0B26BFA5FB84318F30C56DD80A4BB96C336E846C661

Function 06A16890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc7c188857350ac78723b9830c4d4ee7c0a21058eaedc720da69358db31b35a
Instruction ID: 510669dba516fbe17bf779b91bf8513af39077c334093301795a11f23b19e92f
Opcode Fuzzy Hash: 6cc7c188857350ac78723b9830c4d4ee7c0a21058eaedc720da69358db31b35a
Instruction Fuzzy Hash: E4219031B101199FDF44EB69E86069EB7B6EB84314F248429E409EF345DB30ED418B84

Function 06A13B78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093c8e19b025cb7666faf09bb1b3c5fb0f43812e18a6dc226439f8d00c5a1af4
Instruction ID: d112fc03fc8f5ad9bd0b05534ca308e2872c19d7e10202f0bc354fd2dde86301
Opcode Fuzzy Hash: 093c8e19b025cb7666faf09bb1b3c5fb0f43812e18a6dc226439f8d00c5a1af4
Instruction Fuzzy Hash: AB116135B141295FDF54AA79D814AAE73ABEFC8310F00853AD50AEB344EE25EC068B91

Function 06A1ED12 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc77385cfa04351fe4d671446ad1ad79697fd7f7248bddadc98e4dbadc686ff
Instruction ID: 1a2f36faef2a211564dcf3e9b5a75cf9ed3e6764a2a54dace319322776030493
Opcode Fuzzy Hash: afc77385cfa04351fe4d671446ad1ad79697fd7f7248bddadc98e4dbadc686ff
Instruction Fuzzy Hash: 4E01F232B005115FCB65AB7CA850B6F77EBEBCA714F14883AE50ACF341EA25DC424395

Function 06A13DB0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb4ac9006c06f22f4b710b515bb6c7700198c0632f9065135b12473c1e6cbaf
Instruction ID: c623205dfa340f4e3f10c7ac34d3d094f836bfb1204615e2982c7c710bf69fd0
Opcode Fuzzy Hash: ceb4ac9006c06f22f4b710b515bb6c7700198c0632f9065135b12473c1e6cbaf
Instruction Fuzzy Hash: 4601F131B001411FCF61AA3EA41075BB7DACBCA610F14883EE50ECF780EA22DD024395

Function 06A13B67 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84b59e0cacaab0818dc2bdcfcb082311c21cfc6f50e091f289d97058e2f30c2
Instruction ID: 3b5134b1672e1ae920e5bbff2c575caf334889b2cf181f3d5662f17e6bdfbe4d
Opcode Fuzzy Hash: a84b59e0cacaab0818dc2bdcfcb082311c21cfc6f50e091f289d97058e2f30c2
Instruction Fuzzy Hash: 0D01D435B140286BDF54AA6A9C14BEF73AF9BC8210F00403AD40AEB344EE649C0387E2

Function 06A13831 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fc61be649ca9c5d3627ad204021ea49120bb0b42ba638915e2527ba6350920
Instruction ID: e46cdd42af0bdaf22ab467b28651d99a49456974962e66b75edce5a0769dc5ba
Opcode Fuzzy Hash: 67fc61be649ca9c5d3627ad204021ea49120bb0b42ba638915e2527ba6350920
Instruction Fuzzy Hash: D521C0B5D01219EFCB00DF9AD884ACEFBB8FB48320F10812AE518A7240C374A954CFA5

Function 0132D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4098281631.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_132d000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ecf783b7cbcdd6d3e3c200f316909148b26adaabfa4edd85ea3916c23f32ae59
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D311BB75504280CFDB12DF58D9C4B15BFA1FB84318F28C6AAD8494B666C33AD44ACB62

Function 0132D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4098281631.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_132d000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: d8302f4fbdaddf9ab8a5bf47aab0cfb228a906313ec1df92b10266ebbb49a52f
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: AC118B75504284CFDB06DF54D9C4B15BFA2FB84218F24C6A9D8494BA96C33AE44ACB92

Function 06A13838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49020b394e404ce671d1b4ec082fcb499a0761ad5c37d3dd2ce3996dc66a7964
Instruction ID: 08f3267fa57b881539147aa49eccb230148c415be55c201360c798f04789f3f6
Opcode Fuzzy Hash: 49020b394e404ce671d1b4ec082fcb499a0761ad5c37d3dd2ce3996dc66a7964
Instruction Fuzzy Hash: B511D3B1D01219EFCB00DF9AD884ACEFBB4FB48320F10812AE518B7240C374A954CFA5

Function 06A13DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96414a6c051fc4d25b4a0ae8437948dbd06bbcf9ce226ffad02a34322af3c183
Instruction ID: a9ac1750db51dda7cc5801c5c6b219cf1b9194f2aed9bb83336a03b5d32b81fb
Opcode Fuzzy Hash: 96414a6c051fc4d25b4a0ae8437948dbd06bbcf9ce226ffad02a34322af3c183
Instruction Fuzzy Hash: EA016D31B101115FDF64AA6DA45072BA3DADBCA714F248839E50ECF784EE65DD024395

Function 06A1ED20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd28c4dc0a53e1b2da7797e79b09ec9e59b61effd8d84a80ce851a1cfaa678f1
Instruction ID: 79f3f5a91fddeed78b8b876c9a1e770922b1efe16325ba4bb2463ace532e97d1
Opcode Fuzzy Hash: cd28c4dc0a53e1b2da7797e79b09ec9e59b61effd8d84a80ce851a1cfaa678f1
Instruction Fuzzy Hash: F8013C31B104155FDB65AA6DA854B2F67DBEBC9614F148839E90ECF344EA25DC034385

Function 06A19E88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bf5dd2925318e98840695eec72364f3bac43dae179ef3fb718b88751e021f1
Instruction ID: 54d983df9a437d3a34405cbbf2a9359f6a8036fd17f3f0e8da37d0285aa50bfb
Opcode Fuzzy Hash: 12bf5dd2925318e98840695eec72364f3bac43dae179ef3fb718b88751e021f1
Instruction Fuzzy Hash: C7018131B101155FCBA0EB6DE46472BB3D6EB8A614F108829E50ECF784EA21DD028781

Function 06A1C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907529bcc788f746dd8235cb7f4110f90d20c02d2c89a1ac297302186568b6b1
Instruction ID: 2b47d219e35db39e1e7f1d5e09744e96d50bbfceab72c298a4411ac5286d043e
Opcode Fuzzy Hash: 907529bcc788f746dd8235cb7f4110f90d20c02d2c89a1ac297302186568b6b1
Instruction Fuzzy Hash: 33F0A732E20224DBDB146A75EC10A9EB37AE784764F104425E902AB384D775A8008BC0

Function 06A15FE1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa818b3d7e299ea2379730ea7d75633c4199f476cb2ad06aa32e73be13225741
Instruction ID: c59c831174972f7ba01d6fbc0d6146dd1f5621adbea1e17bf81d0c61b6ce0a83
Opcode Fuzzy Hash: fa818b3d7e299ea2379730ea7d75633c4199f476cb2ad06aa32e73be13225741
Instruction Fuzzy Hash: 89E0D871D05248ABDB10DBB4C945B8A779DDB42304F2088E5E405CF141E637C9015791

Non-executed Functions

Function 06A17218 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A1737D
$^q, xrefs: 06A17715
$^q, xrefs: 06A177A8
$^q, xrefs: 06A17389
$^q, xrefs: 06A1734C
$^q, xrefs: 06A17709
$^q, xrefs: 06A177CA
$^q, xrefs: 06A177B4
$^q, xrefs: 06A17358
$^q, xrefs: 06A177BE

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 710f75a20878e8e8c0d5e7298b5d1a20f61e109129c45f0574d6b8276a5c53fb
Instruction ID: 448a235049d84e420fb2b5af69761b0ef6c8758a5c1ecef5f0df2c8c1f384fbf
Opcode Fuzzy Hash: 710f75a20878e8e8c0d5e7298b5d1a20f61e109129c45f0574d6b8276a5c53fb
Instruction Fuzzy Hash: C712EA30E012198FDB64EF69C954A9DB7F2BF88704F2095A9D40AAF254DB30DD86CF91

Function 06A1A4A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A1A666
$^q, xrefs: 06A1A5AA
$^q, xrefs: 06A1A65A
$^q, xrefs: 06A1A624
$^q, xrefs: 06A1A59E
$^q, xrefs: 06A1A630
$^q, xrefs: 06A1A5F9
$^q, xrefs: 06A1A605

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 0a40701b7eea197779ebd7ed464a9bfe3870da481af35f139c03a71835fd34f9
Instruction ID: 3c17ffc0131d3a41669c6e2d45b48b01d97dcd56067ade0d50be6ba142e3a38d
Opcode Fuzzy Hash: 0a40701b7eea197779ebd7ed464a9bfe3870da481af35f139c03a71835fd34f9
Instruction Fuzzy Hash: 25915B30E01209DFDB68EF69D994B6EBBB2BF84310F108529D512AF398DB349945CB90

Function 06A16C18 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A1712C
$^q, xrefs: 06A16F60
.5vq, xrefs: 06A16C73
$^q, xrefs: 06A16EFA
$^q, xrefs: 06A17120
$^q, xrefs: 06A170B4
$^q, xrefs: 06A16F54

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: c54be79f839174412219355269166f695750c3457f8762927b3c6d362d99b309
Instruction ID: 2ea9dfe2cd1d8e4cd1a04a6cef22d316e7a9636dbd11eb8fe72c195bb387d2c9
Opcode Fuzzy Hash: c54be79f839174412219355269166f695750c3457f8762927b3c6d362d99b309
Instruction Fuzzy Hash: 79F1F830A00209CFDB59EF65D594B6EB7B2BF88340F258568D4159F3A8DB31EC86CB90

Function 06A1B978 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A1BB53
$^q, xrefs: 06A1BB5F
$^q, xrefs: 06A1BB1F
$^q, xrefs: 06A1BAF7
$^q, xrefs: 06A1BB2B
$^q, xrefs: 06A1BAEB

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: bdfef2ddeaf451e3d924036dc1657a923ba4d8ec71bad3a2689d6ffde8a31730
Instruction ID: ee42e9dbd8c74f3ec76ed9e2edb754c7e0a91242a93edec2b9fbf8e50950d1d1
Opcode Fuzzy Hash: bdfef2ddeaf451e3d924036dc1657a923ba4d8ec71bad3a2689d6ffde8a31730
Instruction Fuzzy Hash: 2771BD30E042098FDB98EFA9D5906AEB7F2FF84300B108969D406DF799DB31AC45CB91

Function 06A17F50 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A181AA
$^q, xrefs: 06A1820F
$^q, xrefs: 06A181B6
$^q, xrefs: 06A1821B

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f6a78bc9c88f6fb967be6e0b7eb6c50a8b34bb60ea39cf2605fd129142aee386
Instruction ID: 9b162a845411605fd8f99109cd2f081462a243a621f7fedb5215a794288adc7e
Opcode Fuzzy Hash: f6a78bc9c88f6fb967be6e0b7eb6c50a8b34bb60ea39cf2605fd129142aee386
Instruction Fuzzy Hash: 05B14B30A00209CFDB69EF69D5907AEB7B2BF88300F248969D4159F395DB75DC86CB90

Function 06A18368 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A183E7
$^q, xrefs: 06A183F3
LR^q, xrefs: 06A1845B
LR^q, xrefs: 06A184AA

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 20f4f8da9bcefd4a1fc273190e2008a7395151a10873be912ddd438037c1916d
Instruction ID: 666a0b9f7f43089dbdfb9c1e1701698f02f9e96cd7a3317a4602f42461ad49d6
Opcode Fuzzy Hash: 20f4f8da9bcefd4a1fc273190e2008a7395151a10873be912ddd438037c1916d
Instruction Fuzzy Hash: 0751BF31B00201CFDB58EB28D984A6AB7F6FF88704B148568E4169F3A5EB34EC45CB91

Function 06A1A828 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$^q, xrefs: 06A1A959
$^q, xrefs: 06A1A9DB
$^q, xrefs: 06A1AA04
$^q, xrefs: 06A1A9AC

Memory Dump Source

Source File: 00000002.00000002.4116809373.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6a10000_PRE ALERT Docs_PONBOM01577.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: c6e172c190f1fbd16d66535049d7443073a64792591fbda6948690c500a4a85c
Instruction ID: bd7b05be6b79bb96025a598936a69a5b4a040eff4ee303f27b00624738eb61a4
Opcode Fuzzy Hash: c6e172c190f1fbd16d66535049d7443073a64792591fbda6948690c500a4a85c
Instruction Fuzzy Hash: AB518F30F112059FDF65EB68D990AAEB7B2EB89310F258529D50ADF345DB31DC82CB90

Analysis Process: adobe.exePID: 7444, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	237
Total number of Limit Nodes:	10

Executed Functions

Function 0149D030 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0149D0BE
GetCurrentThread.KERNEL32 ref: 0149D0FB
GetCurrentProcess.KERNEL32 ref: 0149D138
GetCurrentThreadId.KERNEL32 ref: 0149D191

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 46d145db6d2a597f4896aa55e046dcb947f24b25ef24f1b0565ecd46ddc11b98
Instruction ID: 3adb82d2c9a8e81fc905287bcf687a820b021d6b0829d79be4807a4412eccebc
Opcode Fuzzy Hash: 46d145db6d2a597f4896aa55e046dcb947f24b25ef24f1b0565ecd46ddc11b98
Instruction Fuzzy Hash: 875155B0D002498FDB14CFAAD949BDEBFF1AF48308F20C46AD059A7361D7349984CB65

Function 0149D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0149D0BE
GetCurrentThread.KERNEL32 ref: 0149D0FB
GetCurrentProcess.KERNEL32 ref: 0149D138
GetCurrentThreadId.KERNEL32 ref: 0149D191

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 613f8b93197fbfefcc648396023f3d0c9fffb41a62463c40a982157513c087d3
Instruction ID: 3638229d61d4e3a7549925d5744b201d1d32591f7b23ce65a104f04a2ea30b63
Opcode Fuzzy Hash: 613f8b93197fbfefcc648396023f3d0c9fffb41a62463c40a982157513c087d3
Instruction Fuzzy Hash: C15124B0E002498FDB14DFAAD949B9EBFF1AF48314F20C46AD459A7360D7349984CF65

Function 04EA982E Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04EA9A6E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d0dced0d94ab1a29c12c1cecfaad6af5f01b58a754bd1eabc9ecdbc0abecfc3f
Instruction ID: d9a21c4bccbe09beed0ecb59819b50739208a4e5f72469d4e2819468db739c33
Opcode Fuzzy Hash: d0dced0d94ab1a29c12c1cecfaad6af5f01b58a754bd1eabc9ecdbc0abecfc3f
Instruction Fuzzy Hash: 46A17BB1D002199FEF10CF68C8407DEBBB2EF48314F0485A9E859AB241DB74A995CF91

Function 04EA9838 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04EA9A6E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cbbe2edb01e82c6af9b58f843f74a0701431e96bfb840c4540fe10149de9e347
Instruction ID: e0f52516f0248c260c60f3e32138e5f9cfbe053cc5cc21975ecc338b520ff3bd
Opcode Fuzzy Hash: cbbe2edb01e82c6af9b58f843f74a0701431e96bfb840c4540fe10149de9e347
Instruction Fuzzy Hash: 42917BB1D00219DFDF20CF68C8407DEBBB2BF48314F1485AAE859AB251DB74A995CF91

Function 0149ADA8 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0149AFFE

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 00fe7e52545aac243db4aa2081e20a69cbec631145180f6b43e275951e4f5395
Instruction ID: f5eee3e0686888a96c59b6b6d379596a2ef94dd0ff4105212e45aea022c4e7ea
Opcode Fuzzy Hash: 00fe7e52545aac243db4aa2081e20a69cbec631145180f6b43e275951e4f5395
Instruction Fuzzy Hash: 7D8137B0A00B058FDB24DF2AD05475ABBF1FF88214F108A2ED186D7B65D775E849CB90

Function 01495A84 Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffae8d982e6cb58c664f3e44515fa451b9b56f14dff6aa210866f78f3733b0f
Instruction ID: 01d53afb4c3f8bfb514ee8d38913dedbb9c7b682756987d7932687c2019a75f5
Opcode Fuzzy Hash: fffae8d982e6cb58c664f3e44515fa451b9b56f14dff6aa210866f78f3733b0f
Instruction Fuzzy Hash: 8C418C71805249CEDF12CFA8C8446AEBFB4AF46324F24808BC045AF266D779594ACF51

Function 0149590D Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014959C9

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c3c637f693f0d143d52ea707dd6d3e8bb3f87f820c2f858a44e6e255ab999dd3
Instruction ID: 0b703f2558f1914cc957c9d080e4fa488565245f2a6b57d8233b08460e11326d
Opcode Fuzzy Hash: c3c637f693f0d143d52ea707dd6d3e8bb3f87f820c2f858a44e6e255ab999dd3
Instruction Fuzzy Hash: E241E1B0C00719CFDF25DFAAC884B9EBBB5BF49304F24806AD409AB265DB756945CF90

Function 014944C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014959C9

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 067fde902d1bfa33c2db7a664b6113c56f1beb803f21d5aeb781163e47d59d9e
Instruction ID: 81e46427ee597a9d7c34b77f593261e8e77454d7233388a9677da95eb609d491
Opcode Fuzzy Hash: 067fde902d1bfa33c2db7a664b6113c56f1beb803f21d5aeb781163e47d59d9e
Instruction Fuzzy Hash: 9241AFB0C00719CBDB25DFAAC884B9EBBB5BF49304F24806AD409AB265DB756945CF90

Function 04EA95AA Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EA9640

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4658d946435b38855cc7bdc174cf1bd333fc779f167e0e111029a30df744b9bf
Instruction ID: cef72d3b7bcea2890c8ca643e20a033b0b4bd859789a54b91613cdbbda35db3e
Opcode Fuzzy Hash: 4658d946435b38855cc7bdc174cf1bd333fc779f167e0e111029a30df744b9bf
Instruction Fuzzy Hash: B92148B19003599FDB10CFA9C885BDEBFF4FF88314F108829E959A7251C778A954CBA4

Function 04EA95B0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EA9640

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d7d7ee53b2e3a3d617c0dbd9b84d78de285067da813460bfe38f99184439d85c
Instruction ID: eb2e930b04a001bbe7fa185e8b82b481cd51e86c32e6781342242dfb43ead97e
Opcode Fuzzy Hash: d7d7ee53b2e3a3d617c0dbd9b84d78de285067da813460bfe38f99184439d85c
Instruction Fuzzy Hash: 9D212AB19003599FCB10CFA9C885BDEBBF5FF88314F148829E558A7251C774A554CBA4

Function 04EA8FD8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04EA905E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bc5307d2cbef8a6b93bacaff02f098893b7dd91987d0a31dacd60061c745e2d2
Instruction ID: cbe002e90fe49bc2cb2deb9d3fe873b466983f6ca48d7d1e52c2a0fd575b78ba
Opcode Fuzzy Hash: bc5307d2cbef8a6b93bacaff02f098893b7dd91987d0a31dacd60061c745e2d2
Instruction Fuzzy Hash: 562137B19002098FDB10DFAAC4857EEBFF4EF88364F10842AD559A7241D778A945CFA5

Function 04EA969A Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04EA9720

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d5a5fa6e15d81ba41e6ea08ff61e0441f326289f41633912cf5ab44467e031de
Instruction ID: 384d9a66950d96d4ac2d5ef32f2b9a0e08d17b4cdaf5bff40fd059797fd7890d
Opcode Fuzzy Hash: d5a5fa6e15d81ba41e6ea08ff61e0441f326289f41633912cf5ab44467e031de
Instruction Fuzzy Hash: 922148B18002499FCB10DFAAC885ADEFBF4FF48324F508829E558A7251C738A955CBA4

Function 04EA96A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04EA9720

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fd1491d1c3503575948e2e52e973ccac0d7f6b437a67d19c4880141b92b2c244
Instruction ID: 42e851dfbbfd7baaca7e83640663155061cf3c38659d6ab1267b88dad8907567
Opcode Fuzzy Hash: fd1491d1c3503575948e2e52e973ccac0d7f6b437a67d19c4880141b92b2c244
Instruction Fuzzy Hash: C52139B1C003599FCB10DFAAC885ADEFBF5FF48310F108429E558A7250C774A954CBA5

Function 04EA8FE0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04EA905E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b367829cda74ec7c0d41c2de45ad066ab2717c45bb0b2600842a962f4e256974
Instruction ID: 6334aa1c148d6ce7f019823b1d9f9a0946fa5d611f52f18f4dffddbb77c331fc
Opcode Fuzzy Hash: b367829cda74ec7c0d41c2de45ad066ab2717c45bb0b2600842a962f4e256974
Instruction Fuzzy Hash: 482149B19003098FDB10DFAAC4857EEBBF4EF48364F10C42AD559A7241C778A945CFA5

Function 0149D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D717

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc847a5c8aacd29051a27e7bb1583b40861fa9b6e493c72e527125ea548f5d88
Instruction ID: 2fc4711c69f5cb3f165f7110a524e1dfac6320ac37635580eccee4ba4396b19b
Opcode Fuzzy Hash: fc847a5c8aacd29051a27e7bb1583b40861fa9b6e493c72e527125ea548f5d88
Instruction Fuzzy Hash: 6F21E2B5D002489FDB10CFAAD984ADEBFF8EB48320F14805AE918A3310D374A944CFA4

Function 0149D689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D717

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1bbcfded653922c5f4f9ccc85811a59a307b1bde41e6f9a450dcd3bc30649886
Instruction ID: 4f8046723086b704c2c268e3af60694df1a6f23535e83ce1d1f0d56f457d2aa1
Opcode Fuzzy Hash: 1bbcfded653922c5f4f9ccc85811a59a307b1bde41e6f9a450dcd3bc30649886
Instruction Fuzzy Hash: B421E0B5D002589FDB10CFA9D584AEEBFF4EB48314F14845AE918A3310D374A944CFA4

Function 04EA94E8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04EA955E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fbb118e7de48b00a1429f1bcda913307513e76bf3701529aa1cda3570fd04bed
Instruction ID: b58aaf72678d8c25ca7936cfbdca114f52537daff66baffd7cc74fb9fc33bb22
Opcode Fuzzy Hash: fbb118e7de48b00a1429f1bcda913307513e76bf3701529aa1cda3570fd04bed
Instruction Fuzzy Hash: F31189B18002499FCB10CFAAC845BDFBFF5EF88324F208819E515A7250C735A554CFA4

Function 0149A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0149B079,00000800,00000000,00000000), ref: 0149B28A

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: de7200f6891ec67f528587868406b8ba91686845e18e4b8813f35e842ba345d3
Instruction ID: d0b1198eca832243634f961fb7cba1cfb7fc5065784ba7f2a1f2c68224adc8ec
Opcode Fuzzy Hash: de7200f6891ec67f528587868406b8ba91686845e18e4b8813f35e842ba345d3
Instruction Fuzzy Hash: 8A1100B69002098FDB20CF9AD448A9EFFF4EB88310F10846AE519A7220C375A545CFA4

Function 0149B219 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0149B079,00000800,00000000,00000000), ref: 0149B28A

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72df0ca46d6999c6ba5e1a06a3af56abd18ec7eeee32632ee99175a0488d4045
Instruction ID: 150b96fce58cdadb0cbe23de6047816433ec3d2d8d3375291ca227c5f9ba2b03
Opcode Fuzzy Hash: 72df0ca46d6999c6ba5e1a06a3af56abd18ec7eeee32632ee99175a0488d4045
Instruction Fuzzy Hash: 222112B69002488FDB20CF9AD948ADEFFF4EB48314F14846ED559AB310C375A545CFA4

Function 04EA94F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04EA955E

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d3aa5e3878eeccb8c78586750f78e344e6f818214f515a3a429c8916ec378fff
Instruction ID: 8aea02e25aa438bcb15c1b4eec0773625ec27a2be46967561239710b660595c8
Opcode Fuzzy Hash: d3aa5e3878eeccb8c78586750f78e344e6f818214f515a3a429c8916ec378fff
Instruction Fuzzy Hash: 561167B18002488FCB10DFAAC845BDFBFF5EF88324F108819E519A7250C735A554CFA0

Function 04EA8F28 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04EA8F92

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 110781db3b6ab92518eaa04b5d2cbea5a2ad22312c83ba6d020d6465dbe6ba52
Instruction ID: 47856324f545036a64ce6a6e5d102a852b2567876264f7ed41c23ab3e3be5ff5
Opcode Fuzzy Hash: 110781db3b6ab92518eaa04b5d2cbea5a2ad22312c83ba6d020d6465dbe6ba52
Instruction Fuzzy Hash: 281185B18002498FDB20DFAAC4457DEFFF5EF98324F208429D119A7240CB38A944CBA4

Function 04EA8F30 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04EA8F92

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6d3cc55830e4a75cfa9b219042c24d4109af716e0b8bfe02865b12e5ed9e0e22
Instruction ID: 27cf78669710b67e570c8ff88e0ad2a6e3fba6ead0107a40ba2da305cce05eb7
Opcode Fuzzy Hash: 6d3cc55830e4a75cfa9b219042c24d4109af716e0b8bfe02865b12e5ed9e0e22
Instruction Fuzzy Hash: DE1166B19002498FCB20DFAAC4457DEFBF5EF88324F208429D519A7240CB74A944CFA4

Function 04EAD810 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04EAD870

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6cbbd4513ce051fbcdb6e1d99a8af24f888b878fc8fd24a7e187cea2243a4329
Instruction ID: 99267196f4c0b024902a8584d237cb87d45da5af60f5986edce9434455aaaad2
Opcode Fuzzy Hash: 6cbbd4513ce051fbcdb6e1d99a8af24f888b878fc8fd24a7e187cea2243a4329
Instruction Fuzzy Hash: 381133B1800249CFDB20DF99C449BDEBBF4EB48324F10846AD568A7750D738A684CFA5

Function 04EABAF8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04EABB5D

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 03f96d8e256171a56d6731d156518dd9e384d3f5e7e550a25f667a4e6f55bb03
Instruction ID: 4a1d53191d8f0a79307d65d19a3f0d3b42d81fa727be7dd22d7c3c8c75e677ac
Opcode Fuzzy Hash: 03f96d8e256171a56d6731d156518dd9e384d3f5e7e550a25f667a4e6f55bb03
Instruction Fuzzy Hash: CD11F2B58003489FDB10DF9AC885BDEFFF8EB49324F10845AE559A7250C375A688CFA5

Function 0149AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0149AFFE

Memory Dump Source

Source File: 00000003.00000002.1789241828.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1490000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8421f3c93629e761bc727932ff53795548e59efb1c6770b700dea32b201d4c5b
Instruction ID: 8a944957ea2ab5f7e9cbadbc8685cb950b21407f0aaab94c867b77ea5c0f4279
Opcode Fuzzy Hash: 8421f3c93629e761bc727932ff53795548e59efb1c6770b700dea32b201d4c5b
Instruction Fuzzy Hash: CA1110B6C002498FDB20CF9AD444ADEFFF4EB88324F10842AD528A7310D375A545CFA1

Function 04EA7E18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04EABB5D

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e85d92860589de2ff55520778f2ab77ebb7c8dcdcfbe9bfa3a6f0bcbf4e3692c
Instruction ID: b7f89843fc3187cd503ac470b0d4b6aa72c0a2606bda8b4def7611ff03b946ad
Opcode Fuzzy Hash: e85d92860589de2ff55520778f2ab77ebb7c8dcdcfbe9bfa3a6f0bcbf4e3692c
Instruction Fuzzy Hash: A711F5B5800348DFDB10DF99C445BDEBBF8EB48314F108459E559A7201D375B954CFA5

Function 04EAD818 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04EAD870

Memory Dump Source

Source File: 00000003.00000002.1793424398.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4ea0000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1a45633a97684174b37428fb5e387a054326a7b2a1784d72866dc92462485921
Instruction ID: b37e73887cceab35cec1c30e7258f27155cf4b2df147e132de973c80eba64aab
Opcode Fuzzy Hash: 1a45633a97684174b37428fb5e387a054326a7b2a1784d72866dc92462485921
Instruction Fuzzy Hash: B21115B5800349CFDB20DF9AC545BDEBBF4EB48324F10846AD558A7750D738A544CFA5

Function 0111D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d917aa71860c33ea6d6d0c7a9528ed326b40d5823e5399dd42fe6b9c6d414dc
Instruction ID: 9f8b1801dbc7bb1732550f60486e96ffd89bae4e5737f607a0f682b48c588120
Opcode Fuzzy Hash: 5d917aa71860c33ea6d6d0c7a9528ed326b40d5823e5399dd42fe6b9c6d414dc
Instruction Fuzzy Hash: A0212471140200DFDF09DF48E9C8B56FF65FB88314F20C179E9090BA5AC336E446C6A2

Function 0111D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3baddf223a71e64185cb28c485d589a6906d765cbc637b3af5cb76ec603681f
Instruction ID: f156c4bd820f068a1bb14d60db79693935fe4d55e5e9aa1d32a30c92129a5a8a
Opcode Fuzzy Hash: a3baddf223a71e64185cb28c485d589a6906d765cbc637b3af5cb76ec603681f
Instruction Fuzzy Hash: 3121FF71500240DFDF09DF58E9C8B2AFFB5FB88318F20C579E9094A25AC336D456CAA2

Function 0112D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787648279.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b599545cd4a787f857532e5d2388bfdb5caf0da5cf3bfc94eaa54a02d18fddfc
Instruction ID: 8b2ec79ee4e7225645912bd3409063eedc246009ffd385e72d4695f9453ba285
Opcode Fuzzy Hash: b599545cd4a787f857532e5d2388bfdb5caf0da5cf3bfc94eaa54a02d18fddfc
Instruction Fuzzy Hash: 7C212671504200EFDF09DF98E9C4B26BBA5FB85324F20C66DE9094B256C336D466CA62

Function 0112D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787648279.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187623f4c8564f8c7102393d0e00f1cead3d15d7db3b8c0c3d18b1567f0ba7a7
Instruction ID: fd7b288ab1d91738504de3cf9598dc586175c9e656378a01af20d3c1e546995c
Opcode Fuzzy Hash: 187623f4c8564f8c7102393d0e00f1cead3d15d7db3b8c0c3d18b1567f0ba7a7
Instruction Fuzzy Hash: F9212271604240DFCF19DF58E984B26BFA5EB84314F20C56DD90A4B2A6C33AD467CA66

Function 0112D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787648279.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9047bda74e314c9ab0ff69d28973de17d0cefb9a81c82d4bd7df43cd6f150218
Instruction ID: 2a4fd6fa5e4e8afcbbc0624264557ee546fb4f5a8974df914ac71679d0cd69cd
Opcode Fuzzy Hash: 9047bda74e314c9ab0ff69d28973de17d0cefb9a81c82d4bd7df43cd6f150218
Instruction Fuzzy Hash: 9F2192755083809FCB07CF64D994715BF71EF46214F28C5DAD8498F2A7C33A981ACB62

Function 0111D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7bcf6bf1eb8d25c227950939532b585f0b99e93b61dd7069cf9ca0e9f6d1bb91
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8C11CD72444240CFDF16CF44D5C4B56BF61FB94224F24C6A9D9090AA5AC33AE45ACBA2

Function 0111D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4624a3e11074433164d26a6e683afedcc83c1dc1296f51d5a73fcd97fbb42c35
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FD119D76504280CFDF16CF54E5C4B16BF71FB84218F24C6A9D9490B65AC336D45ACBA2

Function 0112D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787648279.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_112d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 723a178fc2b5708d3809242ad7b7870cd4c6684d0ae46f9891e498334b99251c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4711BB75504280DFDB0ACF54D5C4B15BFA1FB85224F24C6AAD8494B296C33AD41ACB62

Function 0111D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730c34051fb0cbee9e4d1ec7812709f9a8524e8426f3a08e80e737fd13972846
Instruction ID: d9f2ab93e7d50ab86eb8d4063d1e3196153bc9eb37d83c3204916ceb4085f6fc
Opcode Fuzzy Hash: 730c34051fb0cbee9e4d1ec7812709f9a8524e8426f3a08e80e737fd13972846
Instruction Fuzzy Hash: F20120710087809AEB194A59ED88767FFD8DF41328F18C439ED084A25AC379D440C6B2

Function 0111D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1787568577.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_111d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bdb665f1e8a8857c25e7c04a39f3dc26e94db9bd98f2c148d1fb050454f44c
Instruction ID: f524ee80806ed39f9b5fe7ce24b7a396a10a7a8e8cab74c5d77a47577e62122b
Opcode Fuzzy Hash: d5bdb665f1e8a8857c25e7c04a39f3dc26e94db9bd98f2c148d1fb050454f44c
Instruction Fuzzy Hash: 43F09C714047449EEB158A1ADCC8762FFA8EF51734F18C45AED084F396C3799844CBB1

Analysis Process: adobe.exePID: 7484, Parent PID: 7444COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	19

Executed Functions

Function 06893418 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06893B4C
$^q, xrefs: 06893B23
$^q, xrefs: 06893B17
$^q, xrefs: 06893B40
$^q, xrefs: 06893B70
$^q, xrefs: 06893B64

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 635f7d038e3541626b0d10c0ea97fbefbf5e7b5a6d62f10dfe7b638493013dcd
Instruction ID: 75fc5610d1765d890e596a6d18211a97fd56abdb37bb3b7fa09b3bd5de19afd4
Opcode Fuzzy Hash: 635f7d038e3541626b0d10c0ea97fbefbf5e7b5a6d62f10dfe7b638493013dcd
Instruction Fuzzy Hash: 37321E31E1061ACFCF54EF79C89459DB7B6FF89300F14C6A9D449AB224EB30A985CB91

Function 06897CF8 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06898035
$^q, xrefs: 06898041

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 324b3ae4a5f3c6bf19ea01a2ed174cd54d2b831192fdbb32ee1aea9a44f9ec1e
Instruction ID: e1482109ca642a057821b9aee3e37456a8c975d3e39ee3670cf61dab39a85073
Opcode Fuzzy Hash: 324b3ae4a5f3c6bf19ea01a2ed174cd54d2b831192fdbb32ee1aea9a44f9ec1e
Instruction Fuzzy Hash: 1A029E30B1021A8FDF54DB65D9806AEB7E2FF85304F188929E509DB395EB31EC46CB91

Function 06892743 Relevance: 1.0, Instructions: 1002COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232167f44ce3d759b075e001a334f0c6d37484be1dddeea67a62443b97d5fa42
Instruction ID: 11efa5268b81ea94247b8c6e8e7b33ac55ee746cc3d38e95979e712fbd2b7647
Opcode Fuzzy Hash: 232167f44ce3d759b075e001a334f0c6d37484be1dddeea67a62443b97d5fa42
Instruction Fuzzy Hash: 91929734E002049FDFA4CB68C594A5DB7F2FB48314F5884A9D549EB361DB35ED85CBA0

Function 06896560 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992ec84a0751756f0fb0e4d22585858620d203db81b0d42048bf5cdc1d223b00
Instruction ID: 96fc2755373e597b53bc79198fbaa37e8e4d9993656e1333188f28113d078d9e
Opcode Fuzzy Hash: 992ec84a0751756f0fb0e4d22585858620d203db81b0d42048bf5cdc1d223b00
Instruction Fuzzy Hash: 3F62D130B002159FEF54DB68D594AADB7F2EF88314F188429E505EB354EB35EC86CBA1

Function 0689C0F8 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e74deb82beb8868402d81445402ccd54150c84a0f988aebb3c6771f9048d70e
Instruction ID: d4619fcf89593d77f4e2e72a765f87d3ea0470a586c44e0ef786dab19ad457af
Opcode Fuzzy Hash: 0e74deb82beb8868402d81445402ccd54150c84a0f988aebb3c6771f9048d70e
Instruction Fuzzy Hash: 5132B234B002198FDF54DB68D990BAEB7B2FB88310F248529E505EB355DB35EC46CBA1

Function 06895550 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f51bf335aecadae1681fcddf1ab67864f7760fe33bb5884f174c64a47ee7b58
Instruction ID: d3f8864450840bdca7540e7c1be4a9f9850a858a893848db1b7e086abe8a8941
Opcode Fuzzy Hash: 3f51bf335aecadae1681fcddf1ab67864f7760fe33bb5884f174c64a47ee7b58
Instruction Fuzzy Hash: 8E12F331F002059FDF669F64D8907AEB7B2EB85310F188829DA4ADB345DB34DD45CBA2

Function 0689B198 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70cbc3dae461a3a0724e08a45b041e5230b447c7c0f6e589207232830488d0f
Instruction ID: f1ab5efb8ed8d39def4c539bfe1d7a6477d5db995ea3e91d2d95d8be02b42ac0
Opcode Fuzzy Hash: c70cbc3dae461a3a0724e08a45b041e5230b447c7c0f6e589207232830488d0f
Instruction Fuzzy Hash: BA227530E102099FDF64DBA8E5807AFB7B2FB89310F288925E555E7351D635DC81CB61

Function 0689AC40 Relevance: 10.4, Strings: 8, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0689ADC0
$^q, xrefs: 0689AD61
$^q, xrefs: 0689ADB4
$^q, xrefs: 0689AE18
$^q, xrefs: 0689AD6D
$^q, xrefs: 0689ADE3
$^q, xrefs: 0689AE0C
$^q, xrefs: 0689ADEF

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: c151a30e836dd7e8a2b2b8cacd906bedbc39123ec8085df16e92e23b829db707
Instruction ID: 0dcf55477c15760e5881043c065a032d85cc1644ecb08c8f69a211c73920769e
Opcode Fuzzy Hash: c151a30e836dd7e8a2b2b8cacd906bedbc39123ec8085df16e92e23b829db707
Instruction Fuzzy Hash: 80E16D30E0020A8FDF69DF69D9906AEB7B2FF85304F248529D505DB354DB71E846CB91

Function 0689B5C0 Relevance: 8.0, Strings: 6, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0689BB1F
$^q, xrefs: 0689BB53
$^q, xrefs: 0689BB5F
$^q, xrefs: 0689BAF7
$^q, xrefs: 0689BB2B
$^q, xrefs: 0689BAEB

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 9d72f83646baa95518afa7238d7ea7ab3294ac8b65ea8c4205617681312faec4
Instruction ID: c23a25a10959482640a2ea594e54c1e67d94daf2c5d2902d43ea5f0fbc5d52bd
Opcode Fuzzy Hash: 9d72f83646baa95518afa7238d7ea7ab3294ac8b65ea8c4205617681312faec4
Instruction Fuzzy Hash: 1F029F30E0020A8FDF64DF68E5806AEB7B2FB85314F18892AD515DB355DB71EC85CBA1

Function 068990C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06899156
$^q, xrefs: 0689910F
$^q, xrefs: 0689911B
$^q, xrefs: 0689914A

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 92edf2346cc1fdee32fe96f0928b447a46c133e833a0de72cacc87278cd2257a
Instruction ID: ea4ef823d468cb23873e5a70ca38201a7a18813c1e1f1d191a596d0c8413297c
Opcode Fuzzy Hash: 92edf2346cc1fdee32fe96f0928b447a46c133e833a0de72cacc87278cd2257a
Instruction Fuzzy Hash: 94916E30B0061A9FDF54DF65D9507AEB3F6BFC9204F188569D509EB388EB70AC428B91

Function 0689CEC8 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0689D2D3
$^q, xrefs: 0689D2BF
$^q, xrefs: 0689D2C7

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: db38b267a26316bfef29ba24f5004df9caea5bd065e66c278c379c7874788956
Instruction ID: d218def47866d5b68f81885f0effb1522300011a60559cc6e2b6f1485d9c7468
Opcode Fuzzy Hash: db38b267a26316bfef29ba24f5004df9caea5bd065e66c278c379c7874788956
Instruction Fuzzy Hash: 24626E34A0061A8FCF15EB69D580A5EB7B2FF84304B248A28D009DF359DB75ED4ACB95

Function 06894B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06894C45
\Ocq, xrefs: 06894CCF
fcq, xrefs: 06895225

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: e127055d3049608758b61c9a30cf553941b968bd4d467ee8809aeceb1c0bfc13
Instruction ID: 3daad62d7803315cac37efb35be3a90271647867c09a126d3655602526714d71
Opcode Fuzzy Hash: e127055d3049608758b61c9a30cf553941b968bd4d467ee8809aeceb1c0bfc13
Instruction Fuzzy Hash: 6B619F30F002199FEF549FA5C855BAEBAF2FF88300F248529E105EB395DB758D458B91

Function 0689A318 Relevance: 2.7, Strings: 2, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 0689A38B
x!@, xrefs: 0689A3AC

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: b9fac1dd339139f9489085dc11c5963aa5b4b48e2e12bd0ec7f6718124e10aeb
Instruction ID: 579246dbcaa6b80f8326699f26e8cd8cacbbdc46dcc0577e97698e2203fbdcfc
Opcode Fuzzy Hash: b9fac1dd339139f9489085dc11c5963aa5b4b48e2e12bd0ec7f6718124e10aeb
Instruction Fuzzy Hash: F581A131F001199FDF94DBA9E8906ADB7B2FB88314F148929E50AE7354DB31ED468B90

Function 068990BB Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0689910F
$^q, xrefs: 0689914A

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 2fe193979fcfd4382f14e0989c84ad2f8e7f122f3542bd39baf37238596889fe
Instruction ID: 020023c5fe51d680a9e5b223eab7ff7d9763624258350a3b460e5bddcf25ad38
Opcode Fuzzy Hash: 2fe193979fcfd4382f14e0989c84ad2f8e7f122f3542bd39baf37238596889fe
Instruction Fuzzy Hash: BB516230B006169FDF54DB75D990BAE73F6EBC9244F148529D509DB388EA70EC42CB91

Function 06882E0D Relevance: 1.7, APIs: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191c788767cd63f4357009a60a131ed115507d1abceb489cad9d1da6b75f2653
Instruction ID: aef357f9f6700ec0e29ae48b343bebab2fedd776146fa334ca2c2fd6f29f08f4
Opcode Fuzzy Hash: 191c788767cd63f4357009a60a131ed115507d1abceb489cad9d1da6b75f2653
Instruction Fuzzy Hash: C151F1B1C00209AFDF11DFA9D884ADEBFB1FF48310F14812AE818AB261D7719951CF95

Function 0106ED30 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1873358702.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1060000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9873966f0d41d5edff851da1dd617de04756b07b8c4c9dff56962d60cb2faa8a
Instruction ID: 7538df6e8d655a23597641817b3cb0a78a27d53628b6f2404726272c3e5bfa78
Opcode Fuzzy Hash: 9873966f0d41d5edff851da1dd617de04756b07b8c4c9dff56962d60cb2faa8a
Instruction Fuzzy Hash: 0B412371D043868FCB14DF79C80429EBFF4AF8A310F1486AAD448A7292DB749844CBD1

Function 06882E58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06882F6A

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dcc55a249d65a3022ba696f84a1ce522b81c807d5c4d8e697d62d9e738411cb3
Instruction ID: 6f646909b60105aa6d8d3c65bb2627733a0bce62c22392ecdcad70abf9e5c6ec
Opcode Fuzzy Hash: dcc55a249d65a3022ba696f84a1ce522b81c807d5c4d8e697d62d9e738411cb3
Instruction Fuzzy Hash: B441CFB1D00309DFDB14DFAAC884ADEBBB5FF48310F24852AE819AB211D7749985CF94

Function 06886694 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 068879E9

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f3d6aa3ee416c8a17f80d0c1628d139bd5902af012bdb2e3fd7210d839583f45
Instruction ID: f1b5f87cf299e6c37d1177304863c17d4b7b4e8af710395838ce0a57f9600971
Opcode Fuzzy Hash: f3d6aa3ee416c8a17f80d0c1628d139bd5902af012bdb2e3fd7210d839583f45
Instruction Fuzzy Hash: 274126B5900309CFDB54DF99C888AAEBBF5FF88314F248459D519AB321D774A941CFA0

Function 0688866C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06888700

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8f99255b80b4921be328371b1f2f78b57b048fca895e953014c4eaa5f709cf53
Instruction ID: c2a1e61768bd052fcba4d7864623511cadf4f3c3ab1c35f060124151d42b3ce7
Opcode Fuzzy Hash: 8f99255b80b4921be328371b1f2f78b57b048fca895e953014c4eaa5f709cf53
Instruction Fuzzy Hash: 283102B4E01249DFDB10EFA9C984BCDBBF5AF48304F248069E408AB394DBB45945CF95

Function 068880A8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06888700

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 96321b0395214753a57f92d82fe6345ea763e209fced008092eb0837b36ebd92
Instruction ID: b972e5ab3ef98108a0b43e15cba10a81c397f9ee423fef99d0f00249b6c4f8dc
Opcode Fuzzy Hash: 96321b0395214753a57f92d82fe6345ea763e209fced008092eb0837b36ebd92
Instruction Fuzzy Hash: AE3120B0E01208DFDB10EFA9C984BDEBBF4AF48304F608019E508BB290D7B4A945CF95

Function 06886A90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06886B1F

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ad1a0c2cd53ffeabaca9f31324faa9f579158ee42bec16c43e4bc28519a04379
Instruction ID: 914eca1f7ce1b3e4bc9a539abbff50ced40825b55791503c8529cb27573c2840
Opcode Fuzzy Hash: ad1a0c2cd53ffeabaca9f31324faa9f579158ee42bec16c43e4bc28519a04379
Instruction Fuzzy Hash: A321E6B5900249AFDB10CFAAD984ADEBFF8FB48310F14841AE958A3311D374A944CFA5

Function 0688A2C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0688A343

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 03a050b61fec1f8495a1a28a98cc3d3518ec5c1c56b74df9d74ca3bcacbd8621
Instruction ID: fa4c16789711b2dabc3ea7544b2d41400bb0eb3a619fd48f6cf7a175d467d8b2
Opcode Fuzzy Hash: 03a050b61fec1f8495a1a28a98cc3d3518ec5c1c56b74df9d74ca3bcacbd8621
Instruction Fuzzy Hash: FB2135B1D04209DFCB14DF9AC844BEEFBF5AB88320F14842AE459A7290C775A944CFA5

Function 06886A98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06886B1F

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8abdc26a298c8c2374065410ac63784c9dc38ae3b7257a914a2b5e131bc49661
Instruction ID: 7bddf376e589aa4dadb941f7087a2e22b384f6a2d95338b8b1d08936ebea1572
Opcode Fuzzy Hash: 8abdc26a298c8c2374065410ac63784c9dc38ae3b7257a914a2b5e131bc49661
Instruction Fuzzy Hash: 3E21E2B59002099FDB10CFAAD984ADEBFF8FB48320F14841AE918A3311D374A944CFA4

Function 0688A2C8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0688A343

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 217ca11626ddb6c1240ca9226dc1c3bd70386122b52310b09694771c1f80d2f7
Instruction ID: 284c894896b7016b03de7887cc18dad5204462a298815781c4d0eb1d69ec85f7
Opcode Fuzzy Hash: 217ca11626ddb6c1240ca9226dc1c3bd70386122b52310b09694771c1f80d2f7
Instruction Fuzzy Hash: F12124B1D002098FCB54DF9AC844BEEFBF5FB88320F14842AE458A7290C775A944CFA5

Function 0106EE18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0106EE7F

Memory Dump Source

Source File: 00000004.00000002.1873358702.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1060000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 11615c8800acef10f222178b3f04806196f0d6db21fad05231653f48ef106728
Instruction ID: 464dd64e1fd1477c66e80e9c87a8faf7b7bfb55001da758f85fa349d9d6b6b9a
Opcode Fuzzy Hash: 11615c8800acef10f222178b3f04806196f0d6db21fad05231653f48ef106728
Instruction Fuzzy Hash: 1511E2B1C006599BCB10DF9AC544BDEFBF4AF48320F15816AD858A7251D378A944CFA5

Function 0688039C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06881E16

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 704a709143cd784bf676f9ef61ac0fbb294ce8de12ff8a70623304ef22729060
Instruction ID: 27f8b066d582f959f99387bdb630622428a10bfaf52cf9d78e930c52c61184b9
Opcode Fuzzy Hash: 704a709143cd784bf676f9ef61ac0fbb294ce8de12ff8a70623304ef22729060
Instruction Fuzzy Hash: 9411F0B6D002498FCB10DF9AC448BDEFBF4EF48214F10842AD969B7611C775A545CFA5

Function 06881DAB Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06881E16

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f50d560af4bd814dfbdec28cfeb4106d8d662abe32bb8a8914802fe66ccbfaf7
Instruction ID: 06fc4a19ad2db6a90d13c728d079c4fd4b4c1d8667b4c03f19c8a120dcc3d89b
Opcode Fuzzy Hash: f50d560af4bd814dfbdec28cfeb4106d8d662abe32bb8a8914802fe66ccbfaf7
Instruction Fuzzy Hash: A31102B6C002498FCB14DF9AD848ADEFBF4EF48210F10842AD569B7610C775A545CFA5

Function 068866EC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06887C35), ref: 06887CBF

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 10e12ae883c0459252f624560bd0dcd6c50a6a64d78419701a144552f521201f
Instruction ID: 07e31dce9c28bb5f0e433a611c1c151c46e0dee60e27237c0a2461ef3b387324
Opcode Fuzzy Hash: 10e12ae883c0459252f624560bd0dcd6c50a6a64d78419701a144552f521201f
Instruction Fuzzy Hash: 091133B1800248CFCB60DF9AD488BDEBBF4EB48324F20842AD559A7341C374A944CFA8

Function 06886834 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06888585

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 33a32a187b8b858b0fe146715bc0e87bcd8dd25362c23dddf146c6bd24b04d87
Instruction ID: 9daa1d2685b4ca762611eaf43e729dab6c65f854c5ce31170663d931532bce29
Opcode Fuzzy Hash: 33a32a187b8b858b0fe146715bc0e87bcd8dd25362c23dddf146c6bd24b04d87
Instruction Fuzzy Hash: EE1112B1900359CFDB20DF9AD848BDEBBF4EB48324F20845AE519A7611D378A944CFA5

Function 06887C58 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06887C35), ref: 06887CBF

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b715498edd2337c0306c511e1b6438dd09102fa9df3d8937c0bfb71bc675b878
Instruction ID: ef2646171cb9c206afcf03fbd72230dd3cc6ac24f41adebadd821bac121d3f0b
Opcode Fuzzy Hash: b715498edd2337c0306c511e1b6438dd09102fa9df3d8937c0bfb71bc675b878
Instruction Fuzzy Hash: 3211F2B58002498FCB20DF9AD848BDEBFF4EB88324F20841AD559A7651C774A544CFA5

Function 06888529 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06888585

Memory Dump Source

Source File: 00000004.00000002.1886385559.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6880000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 17c3ad17d7f1c36fe0f09010d860e923aa3710ea29c3761571121966c41ab6e0
Instruction ID: f2c9094d2203f1ea993929d81cba2b367e58218868af2deaf92e757262f844e5
Opcode Fuzzy Hash: 17c3ad17d7f1c36fe0f09010d860e923aa3710ea29c3761571121966c41ab6e0
Instruction Fuzzy Hash: B51145B58003498FCB20DFAAD448BCEFFF8EB48320F14845AD559A7211C374A584CFA5

Function 06894B09 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06894C45

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: d5fb009072e9d695ef9452553280e1785433e7807cc2f1c340b8a44df5e9d117
Instruction ID: b8d5e5059dce945bc090c069ec6dc6725b93d5ff606d523617d3d453ccc6be6e
Opcode Fuzzy Hash: d5fb009072e9d695ef9452553280e1785433e7807cc2f1c340b8a44df5e9d117
Instruction Fuzzy Hash: AA417D30F002099FEB459FA5C854B9EBBF7BF88700F208529E105EB395DB748D459B91

Function 0689DA3D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0689DB99

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5748b721b7cb9fd407f0acd62be1d8aee0808bcd5502f13c6b39f1abf8d58847
Instruction ID: d7488c622dd6bea5a469847ae9810f7c1dbee642a42594bb08ce7d4b4c9eb88f
Opcode Fuzzy Hash: 5748b721b7cb9fd407f0acd62be1d8aee0808bcd5502f13c6b39f1abf8d58847
Instruction Fuzzy Hash: DD41F130E00B4A8FDF50CFA5C89469EBBB2BF85304F284529E505EB340EB74D986CB91

Function 068921B5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06892303

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 22fdadc7f14886669e1ed7daa5e5cc2488b790d07a69f5b41f730721a62bedce
Instruction ID: cdd1868833910406ff94f310e810fb80454765f1e243d10808fcb4751e98c0d9
Opcode Fuzzy Hash: 22fdadc7f14886669e1ed7daa5e5cc2488b790d07a69f5b41f730721a62bedce
Instruction Fuzzy Hash: B1312330B102019FDF499BB0C56876EBBE2AF89204F18852CD406DB391DF35DE46CBA1

Function 068921C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06892303

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 04d461a67e1db724960b2668fafe907f4c46693c41e95ac1b8b249158bfa6c03
Instruction ID: 958c968d4d15ee01f7cbb70f7ddb147d4594bb6189b1fe2905e057f30b4a00e6
Opcode Fuzzy Hash: 04d461a67e1db724960b2668fafe907f4c46693c41e95ac1b8b249158bfa6c03
Instruction Fuzzy Hash: 0F312230B102059FCF58ABB4C96466EBBE3AF89300F148528D106DB395DF35DE46CBA1

Function 0689FEE9 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|, xrefs: 0689FF48

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 337ec80d07a9df18d5d573cb909d7882be38827a7b2e6f43080d0b67f40361cd
Instruction ID: 33c9019169f08d17e94dbcf7a99d87c444e8bce67b2fc66a96ba7202d8832658
Opcode Fuzzy Hash: 337ec80d07a9df18d5d573cb909d7882be38827a7b2e6f43080d0b67f40361cd
Instruction Fuzzy Hash: 60116D75F002159FDB549F78C815B9E7BF1AF48704F1084AAEA4ADB391EB759900CB81

Function 0689FEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0689FF48

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: b1fed89aebc2b9f5e42ba7e0d3d54f3ff4a5e9f93e7722caea24dce389da38b5
Instruction ID: f73ed6690a29c93dd38baf51671307b4b9f5b5a838ae88d3e8e9677ab5d89399
Opcode Fuzzy Hash: b1fed89aebc2b9f5e42ba7e0d3d54f3ff4a5e9f93e7722caea24dce389da38b5
Instruction Fuzzy Hash: 88116D74B002249FDB84DF78C804B6E7BF5AF4C704F108469E60AEB3A0EB759901CB95

Function 06896158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ad9f38fde859e526ff476032febd2a09a52fdb93f771e0751b2d8518e0aa03
Instruction ID: 86852bc3aebcbd9a93ea97a8b5752cacfad3c18b49b7bd9f4a5e3244b9628595
Opcode Fuzzy Hash: c8ad9f38fde859e526ff476032febd2a09a52fdb93f771e0751b2d8518e0aa03
Instruction Fuzzy Hash: 0E61F171F000214FDF149A7EC88466FBAD7AFC5220B19443AE80EDB325EE66DD4287D2

Function 06894253 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a8d74685042b01e21cfada89053e03a756458a599ba27fcec9892b11cbbb7d
Instruction ID: 9924fb2b0f7ab79232db887110b42f011fa2971d0c4f3d2db97d405e438580f1
Opcode Fuzzy Hash: 38a8d74685042b01e21cfada89053e03a756458a599ba27fcec9892b11cbbb7d
Instruction Fuzzy Hash: 09815B30B1060A8FDF54DFB9D8546AEB7F2AF89304F148529D50ADB394EB34EC468B91

Function 0689456C Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea9d4c4ee517006c2afdc01792c8041e89ca7bcf2f4bd7517cd0b9a65b1e6b9
Instruction ID: 7b31844362c1f458ee8a6ef3957de2c515059a68ffc08ab74196ec80edbfb754
Opcode Fuzzy Hash: 2ea9d4c4ee517006c2afdc01792c8041e89ca7bcf2f4bd7517cd0b9a65b1e6b9
Instruction Fuzzy Hash: BF913E30E102198FDF64DF68C890B9DB7B1FF89304F208599D549EB255EB70AA86CB91

Function 06894580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d01beef81452019da60b37e5bf58cf77633e94df3a9aaeecfbd2e2a190fef48
Instruction ID: fb645b87d7b8531a981bebb730fa1428bb39275caed5509d48a5dda1d69ab941
Opcode Fuzzy Hash: 3d01beef81452019da60b37e5bf58cf77633e94df3a9aaeecfbd2e2a190fef48
Instruction Fuzzy Hash: 90913E34E102198BDF60DF68C880B9DB7B1FF89304F208599D549FB255EB70AA86CF91

Function 0689EE98 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc46db9b55631fd0576ce4e6abdbe2efe5956de2bf53efd4aa3ab09aa1866cf
Instruction ID: 7481fd8e52fc14d2440297f111e8b63f451abf770c01a5712722b288fefa71d2
Opcode Fuzzy Hash: 9dc46db9b55631fd0576ce4e6abdbe2efe5956de2bf53efd4aa3ab09aa1866cf
Instruction Fuzzy Hash: 88714B30E002099FDB58DBA9D984AADBBF6FF88304F188529E145EB355DB30E946CB50

Function 0689EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d2b1ae0663ff1ae317447a7a526bd4e9bca3a88ddd7d7e0b0be479a5066ad6
Instruction ID: 2b89b1bbbf5b6d024d57cdbf7a48714186d2219a3ceaa180513304e604bba30c
Opcode Fuzzy Hash: e9d2b1ae0663ff1ae317447a7a526bd4e9bca3a88ddd7d7e0b0be479a5066ad6
Instruction Fuzzy Hash: B1713C30A001099FDB58DFA9D980AAEBBF6FF88304F188529E105EB355DB70ED46CB51

Function 0689FB27 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e7f998e35473aa6499db21e47ae2e49adc8959e999bb7464f6e4c187e9e31b
Instruction ID: c7932367c136b5b50b1ea45ecaeb52f23a98fa25ff4db3c5ae0899195cd1f491
Opcode Fuzzy Hash: 47e7f998e35473aa6499db21e47ae2e49adc8959e999bb7464f6e4c187e9e31b
Instruction Fuzzy Hash: F451C131E00109CFDF58AF78E8946ADBBB2EF85315F248869E30ADB351DB358945CB91

Function 0689F8D9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4064bc41cdb65343ac17a3db166c997976b1be8a6fdf2aac120a29e8f51261b
Instruction ID: 855e90954ee1f10ba893017b23d974ee4837092f19f0b9b8d9ac5ea6f3600d36
Opcode Fuzzy Hash: f4064bc41cdb65343ac17a3db166c997976b1be8a6fdf2aac120a29e8f51261b
Instruction Fuzzy Hash: 8A51ED34F102149FEF689A6CD95476F365BD78D310F24492AF30EE7399CA29CC4647A2

Function 0689F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeb63f76f2b8184020c64dca9e36c75ce28028a055093846791ea99f9e2b39f
Instruction ID: b5a89969c3fed5a9bc140479424d95e42555bfad63c487974cfff45902500e35
Opcode Fuzzy Hash: 6eeb63f76f2b8184020c64dca9e36c75ce28028a055093846791ea99f9e2b39f
Instruction Fuzzy Hash: E251DA34B102149FEF68566DD95472F255FD78D350F24492AF30EE3399CA29CC4647A2

Function 068953C0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57c99087750a90dd7d4a3ade36bafff0e1da85a57310eecd664ef3b55c41785
Instruction ID: 2fcdae8f76e014d747412f9764d8ad1e733a4cf028c42f7f43f42c32dc4a537f
Opcode Fuzzy Hash: f57c99087750a90dd7d4a3ade36bafff0e1da85a57310eecd664ef3b55c41785
Instruction Fuzzy Hash: 81414D71E006099BDFB1CEA9D880AAFF7F2EB44310F14492AE256D7650D330E9558FA2

Function 06892078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b60ed3ab47a8ae797c5e01b3b8e1be0d03fcd31fa534d88ad9e0ef2a4a95c4e
Instruction ID: de1230facf78157e0c01f9cca6c3a4d9256cf1e0cc3fdf96b10e87b210f3c22e
Opcode Fuzzy Hash: 8b60ed3ab47a8ae797c5e01b3b8e1be0d03fcd31fa534d88ad9e0ef2a4a95c4e
Instruction Fuzzy Hash: AC31D030E106069FDF59CFA4D86469EB7B2FF89310F148929E906E7350DB71AD46CB50

Function 06892088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313bd1190994573c8a94d9ea657bb7d3a6195dbd1275f7b4c4c37feb307c69fc
Instruction ID: c2c846e76502bd0a9feffcd6c45d55e4306edb36848559226d730851f0206465
Opcode Fuzzy Hash: 313bd1190994573c8a94d9ea657bb7d3a6195dbd1275f7b4c4c37feb307c69fc
Instruction Fuzzy Hash: 4F317E30E102069FDF59CFA5D86469EB7B2FF8A300F148929E906E7350DB71A946CB60

Function 06893E58 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f612367be6ecc0f8e5264074296ec096839772da7dfd0d7bb631d97b76cb99a
Instruction ID: 6ef1cfd30f6ded589b0df61ed02d67c03f8c27e71460bc3ac4a95a88c5695b63
Opcode Fuzzy Hash: 5f612367be6ecc0f8e5264074296ec096839772da7dfd0d7bb631d97b76cb99a
Instruction Fuzzy Hash: B0217C75F0021A9FDF50DF69E840AAEBBF5EB48714F148129EA45E7380E770ED418B94

Function 06893E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ddc0cf7557e3232db3cdfb39403f6fd7c8f7ef0b1ef5ae07b39e0470b2084c
Instruction ID: b0216922ed03ab7484214ec0b438a23cae0f20610412f8931792a9fe004a33b9
Opcode Fuzzy Hash: 80ddc0cf7557e3232db3cdfb39403f6fd7c8f7ef0b1ef5ae07b39e0470b2084c
Instruction Fuzzy Hash: 45217C75F0021A9FDF50DF69D840AAEBBF5EB48710F148129EA05E7380E770ED018BA5

Function 00FDD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1871902313.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7fd92faaceafc6575547db1dc1ac3fbb78e6b4026b31fb7eb464b76a1fcaa9
Instruction ID: 5c3b76d51a082e332859209631ad2fdc9fd7df2c9020c9fe0eee8a5c25769c0e
Opcode Fuzzy Hash: 9b7fd92faaceafc6575547db1dc1ac3fbb78e6b4026b31fb7eb464b76a1fcaa9
Instruction Fuzzy Hash: 78215E7150D3C09FD703CB24D994711BF71AB46214F29C5EBD8898F2A7C23A980ADB62

Function 00FDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1871902313.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d80dbf26979fd1db9137849bc15f8897696ed00223403e855049f0e72eaaec
Instruction ID: 9c44828e8ebc2612e2166d49823f950151095182a6b791b228450642886bf292
Opcode Fuzzy Hash: 95d80dbf26979fd1db9137849bc15f8897696ed00223403e855049f0e72eaaec
Instruction Fuzzy Hash: B2210771504204DFDB14DF14D9C8B26BBA6FBC4324F28C56ED90A4B35AC336D847DA62

Function 06893F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7ad484a8a288ad82a1600352404dec61f8040de82607417c50f974cd3e6413
Instruction ID: bcfe7ef76758cf7665b0179acee6b4b4aab60119fde0da3d1f84df235bb5ff5a
Opcode Fuzzy Hash: 8c7ad484a8a288ad82a1600352404dec61f8040de82607417c50f974cd3e6413
Instruction Fuzzy Hash: 2611AD36B001295FDF949A68D814AAF77FBABC8315F044539D50AE7384EE65DC028BE1

Function 068941B1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39808d406bcbc1f227dfb366c49f86e571022a684d60a7fb7a1aaf118264086
Instruction ID: b1fbe5a961804e103d416792ac0e2fc45ea1593ead7f0a0e7ca0e8f38a36d7ad
Opcode Fuzzy Hash: a39808d406bcbc1f227dfb366c49f86e571022a684d60a7fb7a1aaf118264086
Instruction Fuzzy Hash: 2601B5357001105BEBA499EED85471EB6DAEBCA720F24883AE64AC7340DA35CC4343A5

Function 0689F118 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd35b31004acc514b2cd31ef1f5666f50775e1dfd7717c806de7a879373a9cb
Instruction ID: c79e6b43ec2e06741fe02d9a70afd7e237394a5776160a7ec85d5cab3bcb8d7c
Opcode Fuzzy Hash: 1bd35b31004acc514b2cd31ef1f5666f50775e1dfd7717c806de7a879373a9cb
Instruction Fuzzy Hash: 60019271B041510FDB669679EC6072E7BD6DB8B315F18482EE249C7382EA65CC4243D6

Function 06893C30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f708a42bfa84f008e213df7ccc1af3cb1799f81fc145c8cd49a5162fbca9be
Instruction ID: 0e85305f471d680d3b0c5776b1f24ec586bd6a33473d477c0f5f05e016751c6a
Opcode Fuzzy Hash: f1f708a42bfa84f008e213df7ccc1af3cb1799f81fc145c8cd49a5162fbca9be
Instruction Fuzzy Hash: 5421C3B5D01259AFCB10CF9AD984ADEFBB4FB48314F10812AE918A7241D375A944CFA5

Function 06893F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a5d3aae469239a8ac39a1a7af952d7bc19242712b6cb9d2e40c9ec755b9283
Instruction ID: 65d1193128f4a4091008b97024a3350871818307fc7fc8d13bc2e15176aeb6d7
Opcode Fuzzy Hash: c7a5d3aae469239a8ac39a1a7af952d7bc19242712b6cb9d2e40c9ec755b9283
Instruction Fuzzy Hash: DD01B132B000255FDF949A69DC14AAF77EB9BC8214F04013AE50AE7384EE61D8028BF2

Function 06893C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a564257f2c2997a60ca88648aa38d9b34e215c6c6f102949edb822e4795c5260
Instruction ID: c1d96e5570536ddb72127c5c87aaaf63562fd839ab4351889a2a137f0dc2a7f0
Opcode Fuzzy Hash: a564257f2c2997a60ca88648aa38d9b34e215c6c6f102949edb822e4795c5260
Instruction Fuzzy Hash: 0911D3B1D01219EFCB00CF9AD884ACEFBB4FB48314F10812AE518A7340C374A544CFA5

Function 0689A27B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b1a95b2f29638e8e4ad49cd00cdfcc6a773fb05ad82443ab53f9c9ec87ea37
Instruction ID: ae5d44873130aaa6b9e4b8945da8321178d3b673158f43d462738c8721cbab25
Opcode Fuzzy Hash: 05b1a95b2f29638e8e4ad49cd00cdfcc6a773fb05ad82443ab53f9c9ec87ea37
Instruction Fuzzy Hash: 4C01F730B001151FDB959ABED850B1F77D6EB8B714F14893AE60AC7341DA31DC0283D1

Function 068941C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18e373c8e379a3e6ac16051c6a3f893f893c020d7c53710c5b3245cc45f514e
Instruction ID: cb998ae9c4e21ce8cb13a0f2a66124cd1f92c255b7bd37e13f67feab71c02bfc
Opcode Fuzzy Hash: b18e373c8e379a3e6ac16051c6a3f893f893c020d7c53710c5b3245cc45f514e
Instruction Fuzzy Hash: 5F016235B000101BDB6495EE985471EB2DAEBCE710F14C83AE60AC7344DA65DC4343A5

Function 0689F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bea19b03f13ca8f858c2b2629460b164e21a73e557c1f9cd9458a2ce7cc0f9c
Instruction ID: 2f473bded1425de3eab01372c59fe446e01bbfef3674ae232514867ea5a2fa93
Opcode Fuzzy Hash: 0bea19b03f13ca8f858c2b2629460b164e21a73e557c1f9cd9458a2ce7cc0f9c
Instruction Fuzzy Hash: 2B018C71B000111BDFAA966DE850B2E73DAEBCA624F18883AE30EC7340DA65DC0743E5

Function 0689A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce471c60759ccf73991929b8339431eb201cea2f01c39dbbb4f0f6ea48695e82
Instruction ID: 9ed08dd2b4904ee68de672ce17e714933cf0810bde3c5bfc7ccd94940136bf4f
Opcode Fuzzy Hash: ce471c60759ccf73991929b8339431eb201cea2f01c39dbbb4f0f6ea48695e82
Instruction Fuzzy Hash: 5E018630B104154FDB549ABED45071E73D6E78E714F148929E60AD7344DE31EC424795

Function 0689C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4f4f0241add3220682a096f9a00bf81d02cce094fbca136ee43a697f488712
Instruction ID: ed8968d314939d4ae4541aecb2039e04edda05d46c246da942f41e264ec1a45b
Opcode Fuzzy Hash: 5e4f4f0241add3220682a096f9a00bf81d02cce094fbca136ee43a697f488712
Instruction Fuzzy Hash: 1AF0A736E20228A7DF146666D80069EB33AE784754F104525EA01E7244D732A80187E0

Function 068963E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8223cef6b93bd97f511f1dad0686e2422184cc94e7e47f3cb74ba47eb6b3021
Instruction ID: f91f5da9f6b997d74b5ec7a74e838b2666c171e60b11e6f3d63cb78fb1a863cd
Opcode Fuzzy Hash: f8223cef6b93bd97f511f1dad0686e2422184cc94e7e47f3cb74ba47eb6b3021
Instruction Fuzzy Hash: DFE0D8B1E10309ABEFE0CEB4C95575E77E8EB01214F2488A8D545C7101F636CA42CB51

Non-executed Functions

Function 06897618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06897789
$^q, xrefs: 06897BA8
$^q, xrefs: 06897BB4
$^q, xrefs: 06897B09
$^q, xrefs: 06897758
$^q, xrefs: 0689774C
$^q, xrefs: 06897BCA
$^q, xrefs: 06897BBE
$^q, xrefs: 0689777D
$^q, xrefs: 06897B15

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 52835daa7cd7f153b5bc46a96539fa85e3da78aa62c32d9b36f625e81e2024fc
Instruction ID: be16cb8bfe60b8c30195683acb372730fb60f999af3071f0b93c5ff333f8e135
Opcode Fuzzy Hash: 52835daa7cd7f153b5bc46a96539fa85e3da78aa62c32d9b36f625e81e2024fc
Instruction Fuzzy Hash: BB122B30E1021A8FDF68DF69C954A9DB7B2BF88304F2485A9D509EB364DB309D85CF91

Function 0689A8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0689A9F9
$^q, xrefs: 0689AA5A
$^q, xrefs: 0689A9AA
$^q, xrefs: 0689AA66
$^q, xrefs: 0689A99E
$^q, xrefs: 0689AA24
$^q, xrefs: 0689AA05
$^q, xrefs: 0689AA30

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 80d5dc8950b733f7e8a5bd4ad3af8ced7ab2826006b7ea83107c43792ff26798
Instruction ID: 54c395b863c3614e0bc904d0fa3740e53e824be09b85c2e729eb6a5360b419ab
Opcode Fuzzy Hash: 80d5dc8950b733f7e8a5bd4ad3af8ced7ab2826006b7ea83107c43792ff26798
Instruction Fuzzy Hash: 7D916C30E0021A9FDF68DB65D955BAEB7F2BF84304F188529E402EB358DB759845CBA0

Function 06897018 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 068974B4
$^q, xrefs: 06897360
$^q, xrefs: 068972FA
$^q, xrefs: 0689752C
$^q, xrefs: 06897520
$^q, xrefs: 06897354
.5vq, xrefs: 06897073

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 9fc98a0b8d20881215af46f3837a6369f341e82cd190f64e72326728738f7ad2
Instruction ID: 35a37e1375b89fa526473f18676cd75fc35105ebe2a60e859d3e723db3195b23
Opcode Fuzzy Hash: 9fc98a0b8d20881215af46f3837a6369f341e82cd190f64e72326728738f7ad2
Instruction Fuzzy Hash: E3F13F30B10209CFDF59EF65D594A6EB7B6BF84300F248669D4069B368DB31EC86CB90

Function 06898350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 068985AA
$^q, xrefs: 0689861B
$^q, xrefs: 0689860F
$^q, xrefs: 068985B6

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 89a2d6a69757e817ec7668b78cc0aab59b0b997300c3c1b5333f727a21aa29bc
Instruction ID: 99a523abdca943789cadc69a2722449eda4208ac63b9a24f34aba0de512f4162
Opcode Fuzzy Hash: 89a2d6a69757e817ec7668b78cc0aab59b0b997300c3c1b5333f727a21aa29bc
Instruction Fuzzy Hash: D3B16D70B1020A8FDF64DF68D9846AEB7B2BF85304F288929D106DB355DB75DC86CB90

Function 0689AC30 Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

$^q, xrefs: 0689AD61
$^q, xrefs: 0689ADB4
$^q, xrefs: 0689ADE3
$^q, xrefs: 0689AE0C

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 55b9f739c903720be16d1343b9e81fc16833315822f0cc1acc614637b2499f4a
Instruction ID: 959a2316496ed7823f56d81f45dcaab3407270a2f8d4286cfd9b1d2735c02c29
Opcode Fuzzy Hash: 55b9f739c903720be16d1343b9e81fc16833315822f0cc1acc614637b2499f4a
Instruction Fuzzy Hash: E7517130E102099FDFA9DB64D9806ADB7B6EF84305F188629E906DB354DB31DC41CBA1

Function 06898768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 068988AA
$^q, xrefs: 068987E7
$^q, xrefs: 068987F3
LR^q, xrefs: 0689885B

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 33165c7eb1293e09e2a6df54f85547b3680ac1ff4d11b8a76f2b8fa94c4783b9
Instruction ID: 2dcd2baab44cc46f0b57b605c363d9ccfdfd3299594b11ca31b808b99df36785
Opcode Fuzzy Hash: 33165c7eb1293e09e2a6df54f85547b3680ac1ff4d11b8a76f2b8fa94c4783b9
Instruction Fuzzy Hash: 4F51C470B002069FDF58DB29D941A6E77B1FF89304F148A69E501DB369DB30EC45CBA1

Function 0689ACBC Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

$^q, xrefs: 0689AD61
$^q, xrefs: 0689ADB4
$^q, xrefs: 0689ADE3
$^q, xrefs: 0689AE0C

Memory Dump Source

Source File: 00000004.00000002.1886458924.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6890000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: a20a7d2c97706ec6f411f314f43dd9453366a459df0948147dd40e70abb49401
Instruction ID: faaaa4336c93bc70b2e580dd011c6c340c604e29ed498a99b2b36900c4595fcf
Opcode Fuzzy Hash: a20a7d2c97706ec6f411f314f43dd9453366a459df0948147dd40e70abb49401
Instruction Fuzzy Hash: F4414C30B1020A8FDFA9DB64D5805ADB3F2EB84305F288629D905DB358DB31EC45CBA1

Analysis Process: adobe.exePID: 7776, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	227
Total number of Limit Nodes:	16

Executed Functions

Function 0127D030 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0127D0BE
GetCurrentThread.KERNEL32 ref: 0127D0FB
GetCurrentProcess.KERNEL32 ref: 0127D138
GetCurrentThreadId.KERNEL32 ref: 0127D191

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a122e296c1f3c27fb2cb4b1a4a285c967c4132e0f44e24f4bcb4309cad23e952
Instruction ID: ef9e73649e9065d8bac02d5acf42efdc769d5f1fb55d998c50e8a44477ccd1d0
Opcode Fuzzy Hash: a122e296c1f3c27fb2cb4b1a4a285c967c4132e0f44e24f4bcb4309cad23e952
Instruction Fuzzy Hash: BF5164B0900359CFDB14DFA9D948BDEBFF1AF88304F208599D419A72A0DB349989CB65

Function 0127D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0127D0BE
GetCurrentThread.KERNEL32 ref: 0127D0FB
GetCurrentProcess.KERNEL32 ref: 0127D138
GetCurrentThreadId.KERNEL32 ref: 0127D191

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ebee54de538c63344487470d67cb66e505730ceff767bb807304138625cc73e5
Instruction ID: 51e56584e9ab1aa5333ac211d30c0427ce3e9dcc7827f8c38927eed1582350b2
Opcode Fuzzy Hash: ebee54de538c63344487470d67cb66e505730ceff767bb807304138625cc73e5
Instruction Fuzzy Hash: 875154B0900349CFDB14DFAAD948BDEBBF1AF88304F208559E419A73A0DB349984CF65

Function 02B196FC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02B1993E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 820e7bed3fba2cf05279baa82f2cbba283c1b0dc365180bae61066374a5e156e
Instruction ID: 8c759cc6694918848b972620c42b47e61bea6232f44f64a1fd5f0f5939872c81
Opcode Fuzzy Hash: 820e7bed3fba2cf05279baa82f2cbba283c1b0dc365180bae61066374a5e156e
Instruction Fuzzy Hash: F9A19D71D00659CFEB10DFA8C8507EEBBB2FF48314F1485A9E849A7280DB749985CF92

Function 02B19708 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02B1993E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 40c5d21b7c47cd1b7730a97cc88c6a8071767c628d229a5ba2dd799eb87b7aa4
Instruction ID: 770b647e2e2336f5b37706f5230af17a1ef1b492ca9b2b1072f081b29b8e53ae
Opcode Fuzzy Hash: 40c5d21b7c47cd1b7730a97cc88c6a8071767c628d229a5ba2dd799eb87b7aa4
Instruction Fuzzy Hash: D7919D71D00659CFDB14DFA8C8507EEBBB2FF48314F1481A9E859A7280DB749985CF92

Function 0127ADA8 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFFE

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d00a7257f45a517b72275b4debda7e69f7b049f6fa521e7472d687bdb5b00921
Instruction ID: 7ddbe16e5f61a0243071333f5e14748e31dd0f762d37b95a8939ddc57c8c194d
Opcode Fuzzy Hash: d00a7257f45a517b72275b4debda7e69f7b049f6fa521e7472d687bdb5b00921
Instruction Fuzzy Hash: 43814470A10B068FD724DF2AC0447ABBBF1FF88314F048A2DD18A97A51D775E94ACB90

Function 0127590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b1ddbe74d2ff3c98c80855c50e89a1089745fa270399a6fbe27707baaee90960
Instruction ID: 26d923e2eac2d6a3e01894d4cbe322b88f7a3830295c53f105425a7cd943f22f
Opcode Fuzzy Hash: b1ddbe74d2ff3c98c80855c50e89a1089745fa270399a6fbe27707baaee90960
Instruction Fuzzy Hash: DB41D3B0C1071DCBDB14DFAAC884ACEFBB5BF49304F24806AD409AB255DB756986CF90

Function 012744C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012759C9

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 446d7c82e7ac2a7a646c474c674b9cc08346caecb95365f270af62aa8a679281
Instruction ID: 8754892f77750ba9a531659b1420705a03e42601748e57eeb0ddd78bb733ff5d
Opcode Fuzzy Hash: 446d7c82e7ac2a7a646c474c674b9cc08346caecb95365f270af62aa8a679281
Instruction Fuzzy Hash: 6B41D4B0C1071DCBDB24DFAAC88479EFBB5BF45304F248069D409AB255DB756985CF90

Function 02B19478 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02B19510

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5630a3667caf03ef5effa43fae3e6ffd667bc393887971b557ba26a94e9d0b7
Instruction ID: b4fa704d206f0819e3e0c9abe75ac24ba4874ebe3161d2df82b618a75adc34e6
Opcode Fuzzy Hash: a5630a3667caf03ef5effa43fae3e6ffd667bc393887971b557ba26a94e9d0b7
Instruction Fuzzy Hash: 202157B1900359DFCB10CFAAC885BEEBBF4FF48314F10842AE959A7241C7789955CBA4

Function 02B19480 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02B19510

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 036d920ab629bdecae9605a1cd547594a9843eeb0c8a3d1eeee07164652ea264
Instruction ID: b329ef54b19244fee14db9b0fc4a1e190fce6a1d3644c4d1121e4fb4ea5d86c3
Opcode Fuzzy Hash: 036d920ab629bdecae9605a1cd547594a9843eeb0c8a3d1eeee07164652ea264
Instruction Fuzzy Hash: 712169B1900349DFCB10CFAAC881BDEBBF4FF48314F10842AE959A7240C7789944CBA4

Function 02B18EA8 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02B18F2E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 65560fa47470f1b7cef1b3b8dee029464dac297ee683c438b7323082f19a02ca
Instruction ID: 4662b42f578fc049bbd8356e26d9bfc7b4d1e72a37f2be6430654c09be582b57
Opcode Fuzzy Hash: 65560fa47470f1b7cef1b3b8dee029464dac297ee683c438b7323082f19a02ca
Instruction Fuzzy Hash: 2B2139719002098FDB10DFAAC5857EEBBF5EF48314F54842AD459A7240C7789585CFA5

Function 02B19568 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B195F0

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6cc6cf52576bc5ab8c3319353b3b3e0749612e77d17fccb513ce353bd5da33c2
Instruction ID: 193fcc12ec28927073ab4f1de48f4df764819092a25b8d82fa334fe48f64ef89
Opcode Fuzzy Hash: 6cc6cf52576bc5ab8c3319353b3b3e0749612e77d17fccb513ce353bd5da33c2
Instruction Fuzzy Hash: 632148B1D003599FDB10DFAAC880AEEFBF5FF48320F50842AE959A7250C7349940CBA5

Function 02B19570 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B195F0

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2a4bb9371b7184decdb1458e94643ab27d1f1cf59589f4cfa04796ae6d0094b9
Instruction ID: 4c598690c1499c94396c24d690d96e605e1eab2a6d2944079751782c51f8c0b0
Opcode Fuzzy Hash: 2a4bb9371b7184decdb1458e94643ab27d1f1cf59589f4cfa04796ae6d0094b9
Instruction Fuzzy Hash: A62139B1D003599FDB10DFAAC880AEEFBF5FF48320F508429E559A7250C7749944CBA5

Function 02B18EB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02B18F2E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: df1847967318bdb4fe82b52196c8d70da2361929a78c0d1baca851425c9473c0
Instruction ID: cf0a86219cd54d2020701cead8e1d3e43e181f2322f467c8aade256c07cd9db2
Opcode Fuzzy Hash: df1847967318bdb4fe82b52196c8d70da2361929a78c0d1baca851425c9473c0
Instruction Fuzzy Hash: 9E2129B19003098FDB10DFAAC4857EEBBF5FF88324F54842AD459A7240C7789985CFA5

Function 0127D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0127D717

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 91fe663f67c0fe2ab49aa7fbfa251ca76194bfec7d4276a0a85ffb9490666839
Instruction ID: cd53b7227aaad9671b4d9518ec35628a7185b1a5957d92c2a5ba149f2e87781e
Opcode Fuzzy Hash: 91fe663f67c0fe2ab49aa7fbfa251ca76194bfec7d4276a0a85ffb9490666839
Instruction Fuzzy Hash: 3621E2B5900249DFDB10CFAAD984ADEFFF8EB48320F14841AE958A3310C375A940CFA5

Function 02B193B8 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B1942E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cbae0996a07925d641edcbfe398eb6dd0c8e25073a616bad19748e0caf48b716
Instruction ID: e5f60c8016e1aa91b0d7590e61f3afb329038d4c78f87cde7a2c23cadf4034bc
Opcode Fuzzy Hash: cbae0996a07925d641edcbfe398eb6dd0c8e25073a616bad19748e0caf48b716
Instruction Fuzzy Hash: FA1189728002499FCB20DFAAC845BEFBFF5EF48324F248819E559A7250C7359541CFA1

Function 0127A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0127B079,00000800,00000000,00000000), ref: 0127B28A

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5cafec2e4ce7149c1db8cbc73da94697063dc8583b145bbb5dbadba5f1c495ec
Instruction ID: 59d29bd787f421ccd332c42981cc55e5bb9b4f18398b6b566d7f681cf413d322
Opcode Fuzzy Hash: 5cafec2e4ce7149c1db8cbc73da94697063dc8583b145bbb5dbadba5f1c495ec
Instruction Fuzzy Hash: 301114B69013098FDB10CF9AC444ADFFBF4EB48310F10842AD919A7210C375A545CFA5

Function 0127B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0127B079,00000800,00000000,00000000), ref: 0127B28A

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4d41233f61e175d44b782601bc0ae45f584b1cfe24b2e40fef120a25dbcd4344
Instruction ID: c400e0d46ed85a8a825207c46239a930bcdd435afd15a3949c9bf7feb698cb2d
Opcode Fuzzy Hash: 4d41233f61e175d44b782601bc0ae45f584b1cfe24b2e40fef120a25dbcd4344
Instruction Fuzzy Hash: 6F111FB69012498FDB10DFAAC444ADEFBF4EB89320F10842AD969A7610C375A945CFA5

Function 02B193C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B1942E

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fef089544e45f1314bc96c9dbcf5f81afc0fa13b7329e8abdf1d5e236ac309ae
Instruction ID: 008ff1e3ffed9d647d643fc4ca461fa7a6621b8b74145db28ddd6b8c4d5b29ad
Opcode Fuzzy Hash: fef089544e45f1314bc96c9dbcf5f81afc0fa13b7329e8abdf1d5e236ac309ae
Instruction Fuzzy Hash: 951167729002498FCB20DFAAC845BDFBFF5EF88324F248419E559A7250C775A540CFA1

Function 02B18DF8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02B18E62

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db7bbfea1b6c2990ee3bf2047e71da83e32a51e5085d97ae2a39a579dffd9180
Instruction ID: e799e9cb3c144d65edce9f0d4b2ed30b04d6734ad61b9c387788dc0c51fa6154
Opcode Fuzzy Hash: db7bbfea1b6c2990ee3bf2047e71da83e32a51e5085d97ae2a39a579dffd9180
Instruction Fuzzy Hash: C01158B29002498FDB20DFAAC4457EFFBF4EB88324F248869D459A7240D775A945CFA4

Function 02B18E00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02B18E62

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 33c13cbe1cb4d61f8e23c99dbca95fb19b66409e7a8b11e129c3874f18d00c2d
Instruction ID: 3f4fcb2ee6096d6c3714a9ec0e0dc19f75b20132e1729d0b160805d038d918ec
Opcode Fuzzy Hash: 33c13cbe1cb4d61f8e23c99dbca95fb19b66409e7a8b11e129c3874f18d00c2d
Instruction Fuzzy Hash: C11136B29003498FDB20DFAAC4457EFFBF5EB88324F208429D459A7250CB75A944CFA5

Function 02B1BAC9 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02B1BB2D

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64ccf5c1eb2ca3ab473904f79a60121236c28ef910a0636b04b80080db44fed0
Instruction ID: 00eb960371e9805bea636680c28fe7895265211e4a9a7b3c7181b7c5f79977d7
Opcode Fuzzy Hash: 64ccf5c1eb2ca3ab473904f79a60121236c28ef910a0636b04b80080db44fed0
Instruction Fuzzy Hash: 6E1122B58003489FCB10DF8AD889BDEFBF8EB48324F10845AE858A3600C375A584CFA1

Function 0127AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0127AFFE

Memory Dump Source

Source File: 00000006.00000002.1871782609.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1270000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 53bef71a9e67e320f300a4dd95766a6932134f20961d53fed261d3f2d95147bd
Instruction ID: 7ccace0da5282fc0f803f7e05885c19c3005e1f141a827bb7f6b469d3c5304ab
Opcode Fuzzy Hash: 53bef71a9e67e320f300a4dd95766a6932134f20961d53fed261d3f2d95147bd
Instruction Fuzzy Hash: 6D111DB6C002498FDB20CF9AC444BDEFBF4AB88324F10842AD969A7210D379A545CFA1

Function 02B1D7E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02B1D838

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d0c45ffb5cdc300006866e54b5f577b8a91e8309fa0176d53f92b51d9e2e03ce
Instruction ID: e22a4f50a7d1e949cc35900b0d1aa4e2761a13c9e5aa9ba9ecbc5632a724dfbf
Opcode Fuzzy Hash: d0c45ffb5cdc300006866e54b5f577b8a91e8309fa0176d53f92b51d9e2e03ce
Instruction Fuzzy Hash: 031133B1800249CFCB10DF9AC544BDEBBF4EB48324F20846AD958A7240C338A584CFA5

Function 02B1D7D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02B1D838

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ac8fe8bbff85f95bb5425253b4f457679687455a363894fe9782e802a44b8c3a
Instruction ID: 8c904398001767229652f2d6d5d9bf829efeac577b9288f547a3a75d8f323aba
Opcode Fuzzy Hash: ac8fe8bbff85f95bb5425253b4f457679687455a363894fe9782e802a44b8c3a
Instruction Fuzzy Hash: 211136B2C00249CFDB10DF99C544BDEFBF0EB48324F10845AD558A7650C339A585CFA5

Function 02B17D58 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02B1BB2D

Memory Dump Source

Source File: 00000006.00000002.1873000459.0000000002B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2b10000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a247e33d63a7a58d6cbce279489c504449d83e2d7f600cc8ef35290c1a6e5c18
Instruction ID: bf76957bd9db48b0e0d5f50d4b9ee3cdb7c5629adab82c2f0b8670de4c5c18c7
Opcode Fuzzy Hash: a247e33d63a7a58d6cbce279489c504449d83e2d7f600cc8ef35290c1a6e5c18
Instruction Fuzzy Hash: CA11F2B5800349DFDB10DF9AD485BEEFBF8EB48324F208459E959A7600C375A984CFA5

Function 00D8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868101142.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40f9de9020557db0fdba84450a55f19ecd0afe079828cff489f2dc24d5cfa60
Instruction ID: e1abffe5b6ae440c54162c958e89b58b7f7539a6ffa11bc8ff5ec7f7eb5db8a2
Opcode Fuzzy Hash: f40f9de9020557db0fdba84450a55f19ecd0afe079828cff489f2dc24d5cfa60
Instruction Fuzzy Hash: B6212871500204DFDB05EF18D9C0B26BF66FB94324F24C169D9094B2D6C336E856C7B1

Function 00D9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868136982.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6178c6b9decd89b822afd1e48aed5beaf650755b4cb20b8d28a3cc37a8f99482
Instruction ID: 4c88d48df9d49e3499ccab148cd16c5857a294fa060f2b72bfcf792743243e90
Opcode Fuzzy Hash: 6178c6b9decd89b822afd1e48aed5beaf650755b4cb20b8d28a3cc37a8f99482
Instruction Fuzzy Hash: CA21FF71604200DFDF14DF24D984B26BBA6FB88314F24C669E84E4B296C33AD847CA71

Function 00D9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868136982.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f9859fc5aaaf07be3e73b243aee3e65564a3c7bf0201216c5ab4d5aa655a7d
Instruction ID: 560d0c1eb95f5d4edc41dc7daf7e25bbf5bbac3a745e1e9b37cfddcd67458da1
Opcode Fuzzy Hash: f2f9859fc5aaaf07be3e73b243aee3e65564a3c7bf0201216c5ab4d5aa655a7d
Instruction Fuzzy Hash: 06210471504200EFDF05DF14DAC0B2ABBA6FB84314F24C66DE9494B296C336D846CA75

Function 00D9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868136982.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60eea47fd86717dc985f13cac6388d71597a140dcbf15b7a5b6af607c32ee616
Instruction ID: b48549c2ddacd86f72be73a2706353f6a4c860a14c53b01b1e07b2b5e9d24ef9
Opcode Fuzzy Hash: 60eea47fd86717dc985f13cac6388d71597a140dcbf15b7a5b6af607c32ee616
Instruction Fuzzy Hash: DC215E755093808FDB16CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62

Function 00D8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868101142.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 9c6cc4a5cc4e047525d37f4c28b8d773c46abf5c3abbf1e23a1500b95479de56
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 92112672404240DFCB02DF04D5C4B16BF72FB94324F28C2A9DC090B296C33AE85ACBA1

Function 00D9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868136982.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b97cb94ab9312380e2a6ed81380da5a595f1121ad4d0e70096b292b1de9a3e1c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 90118B75504280DFDB16CF14D5C4B15BBA2FB94314F28C6AAD8494B696C33AD84ACB61

Function 00D8D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868101142.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5148e0f09c61bc876924e59f1acbd6ea1d68896c3b0be97234cdd8d0485d5c25
Instruction ID: 5068d95b753ee95af4550aca1a314397800e09a33e0b7345f19f5d1f360f567f
Opcode Fuzzy Hash: 5148e0f09c61bc876924e59f1acbd6ea1d68896c3b0be97234cdd8d0485d5c25
Instruction Fuzzy Hash: 6501A771009344AAE710AB26CD84767BFD9EF51324F1CC92AED4A4A2C6C779DC40C7B1

Function 00D8D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1868101142.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754cf8661c77d68ebb7431114765adbe79f06d79cf8e762d2dbb4f8e030c6d9f
Instruction ID: ade329c3c22d452e96dc44c905fbb1dbbda357bb534dad9db0a063962b304999
Opcode Fuzzy Hash: 754cf8661c77d68ebb7431114765adbe79f06d79cf8e762d2dbb4f8e030c6d9f
Instruction Fuzzy Hash: 6AF06271405344AEE7109B16DC84B66FFA8EF51724F18C55AED494A2C6C3799C44CBB1

Analysis Process: adobe.exePID: 7828, Parent PID: 7776COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	211
Total number of Limit Nodes:	23

Executed Functions

Function 066A3418 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066A3B64
$^q, xrefs: 066A3B70
$^q, xrefs: 066A3B17
$^q, xrefs: 066A3B4C
$^q, xrefs: 066A3B40
$^q, xrefs: 066A3B23

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 641fae3c90bc6583b4caa0d783bac501f790c8d2e9d8dc210ce11ee0aa025c4b
Instruction ID: 4cb78cba19cdb558d5631ad479a9756b2cdc8a2a635940e3519d5c1c215a5323
Opcode Fuzzy Hash: 641fae3c90bc6583b4caa0d783bac501f790c8d2e9d8dc210ce11ee0aa025c4b
Instruction Fuzzy Hash: 80321D31E1071A8FCB54EF75C85459DB7B6BF89300F2486AAD409AB324EB70AD85CF91

Function 066A7CF8 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066A8035
$^q, xrefs: 066A8041

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 1616f710e475809a88385e214bcc51316eee36bb7eaad3b473108d6342560449
Instruction ID: 93aa96e1a81ae1ed4e93481ffb2a3108156a81ee98825e2a54412322d5348aa6
Opcode Fuzzy Hash: 1616f710e475809a88385e214bcc51316eee36bb7eaad3b473108d6342560449
Instruction Fuzzy Hash: DD029E34B002059FDB54EFA8D990BAEB7E2EF84314F148469E406DB395DB31ED86CB91

Function 066A2742 Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7000517d963d48f30402f2fd6f369961a4a0b9d0b6f178e0db262b5731292c
Instruction ID: af32bb24fd3e0ade93f3f1228a49b18eff2de6fc95198c08347be90a960239eb
Opcode Fuzzy Hash: 0f7000517d963d48f30402f2fd6f369961a4a0b9d0b6f178e0db262b5731292c
Instruction Fuzzy Hash: 8F925534A003048FDB64DB68C194A9DBBF2FB45314F5884A9E44AEB365DB35ED86CF90

Function 066A6560 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7203d29f2f3b1e70a566212d68e3865ee142d7f150b2f4600dced0f68d219b87
Instruction ID: 02f26092c83207ac3f10a636b576167e0aaba8821aef6b25a89a34bba68afd58
Opcode Fuzzy Hash: 7203d29f2f3b1e70a566212d68e3865ee142d7f150b2f4600dced0f68d219b87
Instruction Fuzzy Hash: C062BD34A002049FDB54DB68D594BAEB7F2EF88314F188469E406EB395DB35ED82CF90

Function 066AC0F8 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1c74d5d274e2e86af8951c5fd8908fd8672ff4b202872a2a4432575462c5ab
Instruction ID: 45d0dbad6820bdbd4b251dedbeb9f5c873a9cc20f29dee6cc7f8c64a3d247ee1
Opcode Fuzzy Hash: 1a1c74d5d274e2e86af8951c5fd8908fd8672ff4b202872a2a4432575462c5ab
Instruction Fuzzy Hash: 58326F34B002099FDB54EF68D990BAEB7B2EB88314F248525E405EB355DB35EC86CF91

Function 066A5550 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2ab73d9b8c7ecc4a456c1687f038af4b9a33ce27b1013fe63c42a97a9f482e
Instruction ID: c7be43d360c0fd82654252685c15b68a94eb9a99d6c807ac737bd1326c8aac33
Opcode Fuzzy Hash: 0e2ab73d9b8c7ecc4a456c1687f038af4b9a33ce27b1013fe63c42a97a9f482e
Instruction Fuzzy Hash: 5D12D131F003159BDB64DB64D8907AEBBB2EB85310F14846AE85BEB345DA34EC46CB91

Function 066AB198 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245ee9a0bfc75bde67ed437258b5836285899fd2922b3c62d1a38c3c622dd26c
Instruction ID: e071f48d1d92529b7696aefe9dc6469ba46325a58e473639dfc29ee992550398
Opcode Fuzzy Hash: 245ee9a0bfc75bde67ed437258b5836285899fd2922b3c62d1a38c3c622dd26c
Instruction Fuzzy Hash: 99227030E002098FDF64DFA8D5907AEB7B6EB85310F248926E459EB395CA35EC85CF51

Function 066AAC40 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066AADEF
$^q, xrefs: 066AAD6D
$^q, xrefs: 066AAE0C
$^q, xrefs: 066AADC0
$^q, xrefs: 066AADB4
$^q, xrefs: 066AADE3
$^q, xrefs: 066AAE18
$^q, xrefs: 066AAD61

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 0c38f438c3e9b3768f0bcdb14794d2cc6e23c78cc6d0e1f219b69574d2cad23e
Instruction ID: 6aa7d3aa923fc73a747fd39a3b9d11f15df64bbd45ad3a67bdd10fe90712451f
Opcode Fuzzy Hash: 0c38f438c3e9b3768f0bcdb14794d2cc6e23c78cc6d0e1f219b69574d2cad23e
Instruction Fuzzy Hash: 44E14C30E003098FDB69DFA9D4946AEB7B2EF85304F24852AD406DB355DB71EC86CB91

Function 066AB5C0 Relevance: 8.0, Strings: 6, Instructions: 473COMMON

Download Yara Rule

Strings

$^q, xrefs: 066ABAF7
$^q, xrefs: 066ABB1F
$^q, xrefs: 066ABAEB
$^q, xrefs: 066ABB2B
$^q, xrefs: 066ABB5F
$^q, xrefs: 066ABB53

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: baa5e6de7fddfefa5977d85c72f93233c70c42f2111da7e770d7e4d52291b2ab
Instruction ID: 478d7a82513d4d5c95e1b2dfa25601dbbe1f985b46d792abd540858d299c1bd4
Opcode Fuzzy Hash: baa5e6de7fddfefa5977d85c72f93233c70c42f2111da7e770d7e4d52291b2ab
Instruction Fuzzy Hash: 1F024B30E002098FDBA4DF68D5906ADB7B2FB85310F24896AD41ADB355DB71EC85CF91

Function 066A90C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066A914A
$^q, xrefs: 066A9156
$^q, xrefs: 066A910F
$^q, xrefs: 066A911B

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2f938f14c8fd0a7869e70e679ef9e383188fe6fb24ee9d4b2cbe150261061ead
Instruction ID: 83709def7902485f0cdc9d5bd3e3e11ef305902f792ce727a7e8d946b2087d54
Opcode Fuzzy Hash: 2f938f14c8fd0a7869e70e679ef9e383188fe6fb24ee9d4b2cbe150261061ead
Instruction Fuzzy Hash: F6914C34B1061A9FDB54DF65D9507AEB3F6AF89304F248569C409EB388EB30AC468F91

Function 066ACEC8 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066AD2BF
$^q, xrefs: 066AD2C7
$^q, xrefs: 066AD2D3

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 49ce539c64bd30710be43b01c5deca1f6a4d01dca595549bce12359f756629c0
Instruction ID: d7ed5e0191dbcdda1b7031ac004d5e6f965cf1d957f9e8f3e9a9d658493e2aa6
Opcode Fuzzy Hash: 49ce539c64bd30710be43b01c5deca1f6a4d01dca595549bce12359f756629c0
Instruction Fuzzy Hash: 8F624F34A002159FCB55EF68D580A5EB7B2FF84304F248A69D009DF769DB71ED8ACB90

Function 066A4B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 066A4CCF
XPcq, xrefs: 066A4C45
fcq, xrefs: 066A5225

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 4e925d48af8b2161dc122032c66d053589efd4622d8e1548b73251f20b24ac16
Instruction ID: 4febf4274b8f792a81c101f1afe6af9283a7d2f09f43c2dfa663c699d684fa08
Opcode Fuzzy Hash: 4e925d48af8b2161dc122032c66d053589efd4622d8e1548b73251f20b24ac16
Instruction Fuzzy Hash: 36615030F002099FEB549FA5C8547AEBAF6EF88300F20842AD106EB395DF759D458F91

Function 00E1ED30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

h, xrefs: 00E1EE11

Memory Dump Source

Source File: 00000008.00000002.4096285249.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e10000_adobe.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 71da98735a28d260e199063bce56425ae71c7e1db180dfa92d599261b5987c6e
Instruction ID: 567b8fc48f49ea973403594f701dc8ba8f0b2a53e67876a1de8770a16102ee75
Opcode Fuzzy Hash: 71da98735a28d260e199063bce56425ae71c7e1db180dfa92d599261b5987c6e
Instruction Fuzzy Hash: 9941F471D043958FCB10CFB9D8046DABFF5EF8A310F1885ABD445AB251DB749885CBA1

Function 066A90B9 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 066A914A
$^q, xrefs: 066A910F

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 4f6bbe5887f3d68adbf43ae9bb4b1041976b942c2605d80847424536140c9ebd
Instruction ID: 7c158a6b703eb2bf4df7a0b19301f3962458a221733cd3888d82a4cd672229ff
Opcode Fuzzy Hash: 4f6bbe5887f3d68adbf43ae9bb4b1041976b942c2605d80847424536140c9ebd
Instruction Fuzzy Hash: 6B512B34B106099FDB54DBB5DD90BAEB3F6AB89744F148569C409EB388EA30DC42CF91

Function 06692E4E Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06692F6A

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: baa177e67df8cc52a564f18164b127408edb2a75b5ab782de06e91b901769390
Instruction ID: 947811208e420931eece75e6c2ee83719bbc4dd51681ace38a6bf4cc06d1f7ed
Opcode Fuzzy Hash: baa177e67df8cc52a564f18164b127408edb2a75b5ab782de06e91b901769390
Instruction Fuzzy Hash: 8E51C2B1D10349AFDF14CFA9D894ADEBBB5BF48314F24812AE819AB210D7719945CF90

Function 06692E58 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06692F6A

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cd83621eee76e61f2e308d1658773b09500d76f3a59caa760803baa5ab3fc3b4
Instruction ID: 72af8b13a9559661db657f45758affea3f8168f13dfabd51d7f1f51e50bec3e4
Opcode Fuzzy Hash: cd83621eee76e61f2e308d1658773b09500d76f3a59caa760803baa5ab3fc3b4
Instruction Fuzzy Hash: D841C2B1D10309AFDF14CF99C884ADEBBB5FF88314F24812AE819AB210D7719985CF90

Function 06696694 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066979E9

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2e5d9f54d0faee9c9484268b2a8c70e569fd36e3b5fc3da104dec34f6828f773
Instruction ID: 538724ce9a08900d8fb134adf733c9d90ef207fe8ffce5f2c9d000d3decbd3a4
Opcode Fuzzy Hash: 2e5d9f54d0faee9c9484268b2a8c70e569fd36e3b5fc3da104dec34f6828f773
Instruction Fuzzy Hash: 694128B5A10309CFDB54CF59C488AAABBF9FB88314F248499D519AB321D334A941CFA0

Function 0669866C Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06698700

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c00325a9b53f46af33d0409ce07c4b3102a7ab27c7a2e26659b38ea0ff37ac97
Instruction ID: 343c068fb7705113b8e2b601d608d0864cee92eb203733f83fe4f6bf28b03231
Opcode Fuzzy Hash: c00325a9b53f46af33d0409ce07c4b3102a7ab27c7a2e26659b38ea0ff37ac97
Instruction Fuzzy Hash: EC3112B0E01248EFDB10CFA8C984BDDBBF5AB49304F208459E404BB394D7756985CFA1

Function 066980A8 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06698700

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b66bcb8eaaad4a8a80a802cb25fda206fa73d04837991f97bfe21a628e7d9e3b
Instruction ID: 0b23bce59278c67c865353dfd494cbe169757647a42427b9f4c59fe91bd5b2a9
Opcode Fuzzy Hash: b66bcb8eaaad4a8a80a802cb25fda206fa73d04837991f97bfe21a628e7d9e3b
Instruction Fuzzy Hash: 8A3101B0E01208EFDB50CF99C984B9EBBF9AB49304F208459E405BB394D7B56985CBA5

Function 06696A90 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06696B1F

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 96e33b4f97e1b4db4b08973f6a44058145d4cf9b4af32a6ca2c82cceb1fa75dd
Instruction ID: e8bf166daf9844046ff09f0b7b275210c4ad99032140df6c8f8cdd312bcc8233
Opcode Fuzzy Hash: 96e33b4f97e1b4db4b08973f6a44058145d4cf9b4af32a6ca2c82cceb1fa75dd
Instruction Fuzzy Hash: EB21E4B5901358AFDB10CFAAD984ADEBFF9EB48320F14801AE954A3310D374A950CFA5

Function 0669A2C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0669A343

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c6002bbb4e2979376d6e9e961496a58c41aca5e0b2073cf95efa3234552619b2
Instruction ID: 3068629b78952846f3fdbab1ab31ff134424c7739436367d1c38559986baaede
Opcode Fuzzy Hash: c6002bbb4e2979376d6e9e961496a58c41aca5e0b2073cf95efa3234552619b2
Instruction Fuzzy Hash: DD2147B5D002098FCB54CFAAD844BEEFBF9BB88310F148429E458A7350C775A944CFA1

Function 06696A98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06696B1F

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8b6e49d0529393b61738b25715462ba62be7d1c10a1a2a5b3a584a02c7f41371
Instruction ID: 2f408899d844993bd9f351d0104e55efa2d64e9622f7d42d8d1b1a3ff4eb48f5
Opcode Fuzzy Hash: 8b6e49d0529393b61738b25715462ba62be7d1c10a1a2a5b3a584a02c7f41371
Instruction Fuzzy Hash: C921E2B59002089FDB10CFAAD984ADEBFF9EB48320F14801AE958A3310D374A950CFA4

Function 0669A2C8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0669A343

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 33ea6221e0cf6934f2beee394918991545e9ccae37537a618b4b23427d7942b2
Instruction ID: 1ea4699169bffa0d58fdf23354b076e31d63514a9859fab5f97aab5365289636
Opcode Fuzzy Hash: 33ea6221e0cf6934f2beee394918991545e9ccae37537a618b4b23427d7942b2
Instruction Fuzzy Hash: 242124B5D002098FCB54CFAAC844BEEFBF5EB88324F14842AD459A7350C775A944CFA5

Function 00E1EE18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00E1EE7F

Memory Dump Source

Source File: 00000008.00000002.4096285249.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_e10000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 89cede7fdc1a6d81564e1fee1e39ae818db1042e943c4ae8fca7fa7f7c7760c6
Instruction ID: 4c3fb448cad5f442eb87f3ce997f46d93fb7a89069212c6beb5feb76674eea21
Opcode Fuzzy Hash: 89cede7fdc1a6d81564e1fee1e39ae818db1042e943c4ae8fca7fa7f7c7760c6
Instruction Fuzzy Hash: D011E2B1C006599BCB10DF9AC544BDEFBF4AB48324F14816AE818B7250D378A984CFE5

Function 0669039C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06691E16

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4368d9467883c80ec7f5a7fc0bac883435a44041901217e44d4699536d1442bf
Instruction ID: 6bcac1e2f706e9b6d33cbdd8f925cd9b65eaaceba3fc06473212ae406b2d3df6
Opcode Fuzzy Hash: 4368d9467883c80ec7f5a7fc0bac883435a44041901217e44d4699536d1442bf
Instruction Fuzzy Hash: C11102B6D0024A8FCB10DF9AC444ADEFBF9EB49214F20846AD869B7710C375A545CFA5

Function 06691DAA Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06691E16

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2a0c9e6b848be8b10e669ff585b2ebc66e6693718987daa23a02f19616935379
Instruction ID: 8349c665a9105b173031cfe4e8b864005b01054db2a091b287486603c3e29fd3
Opcode Fuzzy Hash: 2a0c9e6b848be8b10e669ff585b2ebc66e6693718987daa23a02f19616935379
Instruction Fuzzy Hash: 0D1104B5D002498FCB10CF9AD844ADEFBF9EF49214F10841AD869B7710C375A545CFA5

Function 066966EC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06697C35), ref: 06697CBF

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2abfbd8286391e74960f3fb342d7c1e72d25ff9654d9e3dc13e754a47e0bb1d8
Instruction ID: c36a819104d0457930672a513bf94be4b1e16c5c8c72330558b7fd94eba5cc4b
Opcode Fuzzy Hash: 2abfbd8286391e74960f3fb342d7c1e72d25ff9654d9e3dc13e754a47e0bb1d8
Instruction Fuzzy Hash: 1D1103B5900249CFCB50DF9AD588BDEBFF8EB48324F20845AD959A7350C374A944CFA5

Function 06696834 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06698585

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: db2e9751f711ed602b604e0964013bdd1d11e536f18c7d184b73a091fb21958c
Instruction ID: 7944c4c2298e0c88cae2fabf4fabb9f60282e0adbed4f89cd3f412150684a20c
Opcode Fuzzy Hash: db2e9751f711ed602b604e0964013bdd1d11e536f18c7d184b73a091fb21958c
Instruction Fuzzy Hash: 761145B1900348CFCB60DF9AD448BDEBBF8EB48324F10845AD519A7310C378A944CFA5

Function 06698529 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06698585

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f06cda1cbdfd508a8d47d39d25e057430d11f3a92ec65381080f5344637d4731
Instruction ID: b794b0a6094afcc293e6819bdb9534353c6d54decfb69d870cf0c20b1e4d5403
Opcode Fuzzy Hash: f06cda1cbdfd508a8d47d39d25e057430d11f3a92ec65381080f5344637d4731
Instruction Fuzzy Hash: 841133B59002488FCB50CF9AD444BDEBFF4AB48324F24845AD559A7310C375A944CFA0

Function 06697C58 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06697C35), ref: 06697CBF

Memory Dump Source

Source File: 00000008.00000002.4115681849.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6690000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a0567ad9ea32bcad3f4693bdd7581a1cfe64b793630e16502af0bdbae2913860
Instruction ID: 426f874f005096a26a3e42cf7402bd16f95e86642ae8ee42606c56a70fb6a98f
Opcode Fuzzy Hash: a0567ad9ea32bcad3f4693bdd7581a1cfe64b793630e16502af0bdbae2913860
Instruction Fuzzy Hash: 1A11F2B5800249CFCB50DF9AD988BDEBFF8AB48324F20841AD959B7350C374A544CFA5

Function 066A4B09 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XPcq, xrefs: 066A4C45

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: bf68c4e4e88fdd69c02ea257e994634adc819e16df0347a9c25f5961b358e41f
Instruction ID: f5960d4979885d4ff0c146c07ebf4f500fe360de43986e8b274e871b9b5e827c
Opcode Fuzzy Hash: bf68c4e4e88fdd69c02ea257e994634adc819e16df0347a9c25f5961b358e41f
Instruction Fuzzy Hash: 15416D30A002089FDB45DFA9C854B9EBBF6EF88700F20852AD146AB395DF719C01CFA1

Function 066ADA3D Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066ADB99

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 6c59e94daa72b4501579cc8a91cc43aafbd358c13e6d4d6c5527f8211c166ee3
Instruction ID: f353753ae74002b8f5cd2f3a9e0804eeb9ec9ac1a5a9680f0f4e85cbb5d47602
Opcode Fuzzy Hash: 6c59e94daa72b4501579cc8a91cc43aafbd358c13e6d4d6c5527f8211c166ee3
Instruction Fuzzy Hash: 9C41BF70E043099FDB61DFA5C5946AEBBB2EF85300F20452AE406EB740DB71ED46CB91

Function 066A21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 066A2303

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5b33e49fcaa839d826a3548ecae871f96042a11fedee706e7bc53596e1663ecd
Instruction ID: 8a83c0b94855264f2282935cadcca3326a3f543f89266d72210609de4d66920f
Opcode Fuzzy Hash: 5b33e49fcaa839d826a3548ecae871f96042a11fedee706e7bc53596e1663ecd
Instruction Fuzzy Hash: A031CD30B003059FDB59AF74C92476E7BA6AFC9604F288429D406DB394EF35DE46CBA1

Function 066AFEE9 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 066AFF48

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f6c01c8878fdada38edac544799af4f64af05e5b340e4f45a8e7e75e1c654da3
Instruction ID: 91467a41358c3ccf87b80002501dbd65dc755b53bc6225eff2db01822415741c
Opcode Fuzzy Hash: f6c01c8878fdada38edac544799af4f64af05e5b340e4f45a8e7e75e1c654da3
Instruction Fuzzy Hash: 6E116D74B102249FDB509F78C805BAE7BF6AF88710F10846EE94ADB390EB759D00CB95

Function 066AFEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 066AFF48

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 16dce3e2a7436dc3bb65a3fc403e43145cc73a7f498517419e0cbce627c8a66e
Instruction ID: f00bc8387258ac288629d01d64cdaa124434a1966fc5cfff363e1e3056f7cbce
Opcode Fuzzy Hash: 16dce3e2a7436dc3bb65a3fc403e43145cc73a7f498517419e0cbce627c8a66e
Instruction Fuzzy Hash: 10111C74B102149FDB44AF78C804B6EBBF6AF88750F10846EE90AEB394DB759D01CB85

Function 066AC0E8 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bea91057d1a3bda5f6e141199f065f52c976873669f9ba19d3ee4195c6be14
Instruction ID: 0a0e6cf8f6a0d5005afd0e6410695dd479c470ea4f58b9bfe661eebbf77f8285
Opcode Fuzzy Hash: 37bea91057d1a3bda5f6e141199f065f52c976873669f9ba19d3ee4195c6be14
Instruction Fuzzy Hash: 09A17330F102099FDF54DFA8D990BAEB7B6EB89314F108526D409E7395CA34DC828F91

Function 066A6158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b699d3b9e3eef170029a2aa092d4bc91eff0313ea5fbf70ffcec99dfa56a43
Instruction ID: 749fd05403eca0e03b263a608cfe353b452d7b5c363c836ea97237dca8a6a53e
Opcode Fuzzy Hash: a7b699d3b9e3eef170029a2aa092d4bc91eff0313ea5fbf70ffcec99dfa56a43
Instruction Fuzzy Hash: 8861D271F001114FCB149A7DC88466FBADBAFC4224B19443AE80EDB365DE66DD028BD2

Function 066A4252 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4369a742f92c28421cebba70aac94015848e70edd09d187d41a6ff326f44dd1e
Instruction ID: 279a17ae96a32605a47ab65f9a6908da3ddfe20c37b670f4f94b4448b30c31c9
Opcode Fuzzy Hash: 4369a742f92c28421cebba70aac94015848e70edd09d187d41a6ff326f44dd1e
Instruction Fuzzy Hash: 84814C31B002099FDB54DFA9D8947AEB7F2AF89304F148529D40AEB384EF75EC428B51

Function 066A456C Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507ccc5dcb28613ec24f1227d65391dccde5fe44e838981ba2f4d87b40e3c58f
Instruction ID: 8365c0a0d588a0f4deecce332a134ddea8370e650995bbed54b51dcc3d934147
Opcode Fuzzy Hash: 507ccc5dcb28613ec24f1227d65391dccde5fe44e838981ba2f4d87b40e3c58f
Instruction Fuzzy Hash: 28911A34E102198FDB60DF68C890B9DB7B1FF89310F208699D549AB355EB70AE85CF91

Function 066AFB27 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3b750af99b50bb925bacb77622652c3731756c01d8d678ff08d3b311c78799
Instruction ID: b1384274bbe91e8e8275f1402baef2e5d919c1471eb49928137622745835d8ce
Opcode Fuzzy Hash: 2f3b750af99b50bb925bacb77622652c3731756c01d8d678ff08d3b311c78799
Instruction Fuzzy Hash: 9961D131F00205DFDB54ABB8E8553AEBBB2EB85315F20886AE10AD7350DB359D45CF92

Function 066A4580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b7a733f6c7a5ffc73b93ba9ebba6dda35f4a2b72807f6a5a72c017c268e64a5
Instruction ID: ee907d2e738f3fa0c87b8dac57f041eb1242ea7bc93e8356e5316642cbed37cf
Opcode Fuzzy Hash: 7b7a733f6c7a5ffc73b93ba9ebba6dda35f4a2b72807f6a5a72c017c268e64a5
Instruction Fuzzy Hash: F8912A34E106198BDF60DF68C890B9DB7B1FF89300F208699D549AB355EB70AE85CF91

Function 066AEE98 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909386d4cb5c4b5e968a8ae0ebb3cf6b1e9fd91da48219b624812624a89f82f4
Instruction ID: 53eedbf23fdaab4b69f9736f0efb80f6acce00c8a9c5bde358e3590ab6e826b4
Opcode Fuzzy Hash: 909386d4cb5c4b5e968a8ae0ebb3cf6b1e9fd91da48219b624812624a89f82f4
Instruction Fuzzy Hash: AE712970A002089FDB54DFA8D990AAEBBF6FF84300F248529E405EB355DB71ED46CB91

Function 066AEEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d7945f449e35071fe1f300d66523bed1f819d840ccb9a5f48dd47658fb828
Instruction ID: 3bccf08b05e2b361a59c10d0dce80c7a79f96011c7fc388c6df8c21d0c0eeae2
Opcode Fuzzy Hash: ae1d7945f449e35071fe1f300d66523bed1f819d840ccb9a5f48dd47658fb828
Instruction Fuzzy Hash: 02711B70A002089FDB54EFA9D990AAEBBF6FF84300F248529E405EB355DB71ED46CB51

Function 066AF8D9 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131ee69fcc5d18f976d2981afcf117b852809479e85910d5b8168947667bbf65
Instruction ID: fe6ae7e20722d8a537a3ef6001b4bd55306687c45cb480567bc74641dcc78d90
Opcode Fuzzy Hash: 131ee69fcc5d18f976d2981afcf117b852809479e85910d5b8168947667bbf65
Instruction Fuzzy Hash: 7651D934B10314DFEFA4666CD99476F366BD789300F20492AE50ED7399CA79CC858BA3

Function 066AF8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512ecded07dd8efebee64ab21d5d16f83f23972a0a1aa7ae026c5cb2eb8533da
Instruction ID: b2b9561ffc734970ca9485ed9f76cb645974727137d2810472629e255e15a248
Opcode Fuzzy Hash: 512ecded07dd8efebee64ab21d5d16f83f23972a0a1aa7ae026c5cb2eb8533da
Instruction Fuzzy Hash: 0151D534B10314DFEFA4666CD9947AF265FD789310F20492AE10ED7399CA79CC858BA3

Function 066A53C0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1083da7b0c091f4b7d4dd25be1727f042d8c054e7618d8f253c48a14bc5490c
Instruction ID: a77cf798f98ef4131b071768ad9b5b692a98decb80b0f4e39b8dd828a3e101a0
Opcode Fuzzy Hash: f1083da7b0c091f4b7d4dd25be1727f042d8c054e7618d8f253c48a14bc5490c
Instruction Fuzzy Hash: 3D41FB71E007098FDB60CEA9D881AAEFBF2FB95310F10492AE156D7650D331ED558F91

Function 066A2078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ba19eeeaeb4436c9533ec6f53f3b050d61b3c20391b84cac027b0866a4871a
Instruction ID: b77bc47309c07d244075a8d2dc2e9cc3af3d58ee0fe67f9a6d5af2839d3a9f60
Opcode Fuzzy Hash: 66ba19eeeaeb4436c9533ec6f53f3b050d61b3c20391b84cac027b0866a4871a
Instruction Fuzzy Hash: 49316B70E102059BCB59CF64D8A46AEB7B6AF89300F188529E906EB750DB71ED46CB90

Function 066A2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd62413203723a6bc367d449fa21ca7f58b5c75afba68a06b7474b0f937b904
Instruction ID: 34ff36bb94e749f137ab016c278f63120e5ee4fdc843f37422edacc86359fdf2
Opcode Fuzzy Hash: 5dd62413203723a6bc367d449fa21ca7f58b5c75afba68a06b7474b0f937b904
Instruction Fuzzy Hash: 24317E70E102059FCB59CF64D8646AEB7B6FF89300F188529E906EB750DB71ED46CB90

Function 066A3E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04964679d018e0361f67fa42f8c0aef79d1bfadefc8834ff485d9f83cae9e58f
Instruction ID: 9c93000274dfc7b11b944f998f2bb95268343c7f7e98cb4500c680d416148e51
Opcode Fuzzy Hash: 04964679d018e0361f67fa42f8c0aef79d1bfadefc8834ff485d9f83cae9e58f
Instruction Fuzzy Hash: C3216675E112199FDB40DFA9D980AAEBBF5FB88710F10802AEA05E7380E771DD018F91

Function 066A3E66 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d14219dd257e250de013836719b8003d90820d6a2f79ab27edc465171c50687
Instruction ID: d5455dea3dbbfb0b9ee0eb475123a9bbdef1818991717a9cada713a04cdace39
Opcode Fuzzy Hash: 6d14219dd257e250de013836719b8003d90820d6a2f79ab27edc465171c50687
Instruction Fuzzy Hash: 50216A75F112159FDB44DFA8D940BAEBBF2AB88710F14802AEA09E7394E770DD018F91

Function 00DCD005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4096030585.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dcd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f640b3e748b188f1cd08539ad7f091f1645e258ca79e371a4f70355586e74734
Instruction ID: ba5af695a86d414b2bc71f9ac2e579bd3647e8a9cfc44591b342d36abd5b27f1
Opcode Fuzzy Hash: f640b3e748b188f1cd08539ad7f091f1645e258ca79e371a4f70355586e74734
Instruction Fuzzy Hash: F5212C7150D3C09FD703CB24D994B11BF71AB47214F29C5EBD8898F2A7C23A985ADB62

Function 00DCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4096030585.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_dcd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3cebe18f904add23157df012210a226e44c20fddcfbe0c6bc1fec94a3b1b00
Instruction ID: efc1248bb33c872460a28257d5b0955ac116c8f3fbbcec90e4821f077fb49c7f
Opcode Fuzzy Hash: 3b3cebe18f904add23157df012210a226e44c20fddcfbe0c6bc1fec94a3b1b00
Instruction Fuzzy Hash: 5521F271504205EFCB14DF18DDC0F26BBA6EB84314F24C67EE8494B296C33AD846DA72

Function 066A41B1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407f0b84503a0afff009787ee626f961adef72bcd0ea7261bd4d5b1949d31a79
Instruction ID: 35d96875e2afbd450f314bee806a0bc46ef248ccaa7a4f369354e8b726ea743a
Opcode Fuzzy Hash: 407f0b84503a0afff009787ee626f961adef72bcd0ea7261bd4d5b1949d31a79
Instruction Fuzzy Hash: 94119635B002105FD764DAAED85076AB7DADBC6710F24843AE54AC7391DE65DC0247A1

Function 066AF118 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0365979bdd54b0621dc637396426eeb67330cde60dc741e751d15628563e4bf7
Instruction ID: 6d360ee55b24df9d4b17d3e779ba85a9e2125c8cb9caf1379e4af04d4a6905af
Opcode Fuzzy Hash: 0365979bdd54b0621dc637396426eeb67330cde60dc741e751d15628563e4bf7
Instruction Fuzzy Hash: 5E01DE75B002011BDB619A7DD81077AB7EADBCA320F24883BE00ACB341DE35DC428792

Function 066A3F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19a49ec9b0a656d2c7d0010fee1df537e57cf4538e5155350ee8a0ff66c4794
Instruction ID: 0e11d58992e21690df1eeca66ae533ee753b501a11a8b8bae320694992cba38e
Opcode Fuzzy Hash: a19a49ec9b0a656d2c7d0010fee1df537e57cf4538e5155350ee8a0ff66c4794
Instruction Fuzzy Hash: F511A136B102245FDF949A68DC14AAF73FBABC8311F14443AD50AE7344EE65DC028BD1

Function 066A3C30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f26eb6199fdbfec12b1ed736a93a403a2b9ed87ecceb7bf1f19a4abb7df9bc
Instruction ID: 32bb00b05bd6c726318df51399e8cc0b53c31d91a0b760b70938372bd9ea4149
Opcode Fuzzy Hash: 92f26eb6199fdbfec12b1ed736a93a403a2b9ed87ecceb7bf1f19a4abb7df9bc
Instruction Fuzzy Hash: B821C5B5D01219AFCB10CF9AD985ADEFBB4FB49314F10812AE518A7341C374A944CFE5

Function 066AA27A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e5b0c2e4008c6cf3b468dc16485ff6afe03367bc7b9c21d801707194753ce8
Instruction ID: f912413c66208ba12f3db03edc64fc7e4450f799a982df37bac7e2ac228e1e02
Opcode Fuzzy Hash: 63e5b0c2e4008c6cf3b468dc16485ff6afe03367bc7b9c21d801707194753ce8
Instruction Fuzzy Hash: C901B5317042145FCB61DEBDD45171AB7D6EB46714F18887AE50ACB341DE26EC02CB91

Function 066A3F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f31349104a32a08b374dd8dd79cd79f8cade41d6ce76614fd0598408ca3d52
Instruction ID: a581d6bc82e360d854180a5d4c427ebccdd45d648ddef30fcb8cc960a589d063
Opcode Fuzzy Hash: 13f31349104a32a08b374dd8dd79cd79f8cade41d6ce76614fd0598408ca3d52
Instruction Fuzzy Hash: B301B132B101155FDF94DA68DC10BABBBFB9BC8304F08417AD50AEB344EE659C528BD2

Function 066A3C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ff1ebffd25ab08f559645f4c5b972df12444972019ba2ce696b6e8fd501183
Instruction ID: 5808937c67f75e98bf1236cb1ca401c4ed31c6e1c9ae1be3be3c2d1805ec54f2
Opcode Fuzzy Hash: e0ff1ebffd25ab08f559645f4c5b972df12444972019ba2ce696b6e8fd501183
Instruction Fuzzy Hash: 9311A2B5D01259AFCB00DF9AD984ADEFBB4FB48314F10812AE518B7340C374A954CFA5

Function 066A41C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6857a99b60517640e26b5212fada1f8240faffade571a0a74670fa431c12ae2a
Instruction ID: 671ce848cae30e14f5003d6bedac71d46639953180b43b283c9f309484d9d270
Opcode Fuzzy Hash: 6857a99b60517640e26b5212fada1f8240faffade571a0a74670fa431c12ae2a
Instruction Fuzzy Hash: E4018135B001105BDB649AAED85072BF2DBDBCA711F24843AE60EC7344DEA2EC0247A5

Function 066AF128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2502bb0ff474411d0c74dbfaae4a322a8d1572c8bbea3daa433b0265f865f818
Instruction ID: 1ed5a34950235c780938549094cbf1c2d6d80716953273dc16fe7fdc3308e4dc
Opcode Fuzzy Hash: 2502bb0ff474411d0c74dbfaae4a322a8d1572c8bbea3daa433b0265f865f818
Instruction Fuzzy Hash: 93018C71B001101BDB64A56DE85073EA3DBDBCA624F54883AE10ECB340EE71EC424796

Function 066AA288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467664bd63d4612fbc24a56fb85a223c2a4ffc91889d5015b78790200b3e32aa
Instruction ID: b0ae909ce3910bec667e1ae2eb57da6a9de75bba3374d8fb7b321deea16d87ed
Opcode Fuzzy Hash: 467664bd63d4612fbc24a56fb85a223c2a4ffc91889d5015b78790200b3e32aa
Instruction Fuzzy Hash: EE01A430B005155FDB60EEFDD85072EB3D6EB8A714F14883AE50ACB344DE22EC528B81

Function 066A63E0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d1625c2cf32037152d155a892b362e123430d574a845778945ec20ee3dee8f
Instruction ID: 6455985592c45de7c69943c105db972063009ffb5861d91e75eddd9854dcb589
Opcode Fuzzy Hash: 57d1625c2cf32037152d155a892b362e123430d574a845778945ec20ee3dee8f
Instruction Fuzzy Hash: 8EF0A0719093889FCB61CF78C99575A7FEDEB03210F2984E9D085CB202D636CE02CB62

Non-executed Functions

Function 066A7618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 066A7B15
$^q, xrefs: 066A777D
$^q, xrefs: 066A7758
$^q, xrefs: 066A7BA8
$^q, xrefs: 066A7BCA
$^q, xrefs: 066A7B09
$^q, xrefs: 066A774C
$^q, xrefs: 066A7BB4
$^q, xrefs: 066A7BBE
$^q, xrefs: 066A7789

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: f662e1f473e3a4778a48ca780e2488f88f13d664187ac9daafb94f978933395e
Instruction ID: 4d6bdc05671d0baf24cc6f89871e885929b693b3a08fa930baac7653d548f208
Opcode Fuzzy Hash: f662e1f473e3a4778a48ca780e2488f88f13d664187ac9daafb94f978933395e
Instruction Fuzzy Hash: E0122D34E007198FDB68DF65C954A9DBBF2BF88704F2085A9D40AAB355DB309D86CF81

Function 066AA8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 066AAA30
$^q, xrefs: 066AAA5A
$^q, xrefs: 066AA9AA
$^q, xrefs: 066AAA66
$^q, xrefs: 066AA9F9
$^q, xrefs: 066AA99E
$^q, xrefs: 066AAA24
$^q, xrefs: 066AAA05

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: c77c8de3e06c6cf61f1a3a54072af61da2b827032132ab25c666750ab00bd258
Instruction ID: cf74e5f206ba52d4cc551c48b557de48f5bb40f65904355620db8e233f4ae8b3
Opcode Fuzzy Hash: c77c8de3e06c6cf61f1a3a54072af61da2b827032132ab25c666750ab00bd258
Instruction Fuzzy Hash: 21914C30A003099FDB64DFA5DA54BAEBBF2AF84304F10852AE402AB355DB759D85CF90

Function 066A7018 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 066A7354
$^q, xrefs: 066A72FA
$^q, xrefs: 066A7520
$^q, xrefs: 066A752C
$^q, xrefs: 066A74B4
$^q, xrefs: 066A7360
.5vq, xrefs: 066A7073

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 0e9c08814a0905e616fdf2ebf7d6e578fd69d9395abee5d9270f2c6ec885cd61
Instruction ID: d2c61fc5104ea72f82b63c7b5909f379f4dfc8a64bde60a7f4c79355bf12b4b2
Opcode Fuzzy Hash: 0e9c08814a0905e616fdf2ebf7d6e578fd69d9395abee5d9270f2c6ec885cd61
Instruction Fuzzy Hash: 99F12C34B00308DFDB58EF64D594A6EBBB2BF84304F248569E4059B369DB75EC82CB90

Function 066A8350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 066A85AA
$^q, xrefs: 066A85B6
$^q, xrefs: 066A861B
$^q, xrefs: 066A860F

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 3d80f32d057ab0b6ce5b5dcbf85ea03b8393eb1f1aaa020350aecabc9e583a33
Instruction ID: 312e7f7d2d5f0af36b82ece2d862d103757a2e6764e430f615f4c7ee35bc7988
Opcode Fuzzy Hash: 3d80f32d057ab0b6ce5b5dcbf85ea03b8393eb1f1aaa020350aecabc9e583a33
Instruction Fuzzy Hash: 5FB1FB30E102088FDB58EFA9D99469EB7B2EF84304F248969D406DB355DB75DC86CF90

Function 066A8768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 066A88AA
$^q, xrefs: 066A87E7
LR^q, xrefs: 066A885B
$^q, xrefs: 066A87F3

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 07b0b6d78e754c8f94a9ed6d9d3f4c60cc2179e6f9a7b9463aa8ca656c801210
Instruction ID: 8ec69ddffb790093b7cc6468d4d1bda1f961c8d5cbe5dd51710f11339cfdecce
Opcode Fuzzy Hash: 07b0b6d78e754c8f94a9ed6d9d3f4c60cc2179e6f9a7b9463aa8ca656c801210
Instruction Fuzzy Hash: 5D518E34B002059FDB58EB68C950A6AB7E6FF89704F14856DE406DB3AADB30EC45CF91

Function 066AAC30 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$^q, xrefs: 066AAE0C
$^q, xrefs: 066AADB4
$^q, xrefs: 066AADE3
$^q, xrefs: 066AAD61

Memory Dump Source

Source File: 00000008.00000002.4115790362.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66a0000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 1dcd159880c649a736d29e24aa45d90faf162474f91139fad9ec1ef601787d41
Instruction ID: 39442f9354ad738e9f1ff7aeef179b58b676fad0a633cac6fa88740e8b408867
Opcode Fuzzy Hash: 1dcd159880c649a736d29e24aa45d90faf162474f91139fad9ec1ef601787d41
Instruction Fuzzy Hash: 4D515E30E103049FDF69EBA8D5806AEB7B2EB85715F24852AD846DB355DB31EC81CF90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PRE ALERT Docs_PONBOM01577.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRE ALERT Docs_PONBOM01577.xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
PRE ALERT Docs_PONBOM01577.xlsx.exe

Function 04DD96FC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
processCOMMON

Function 04DD9708 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Function 0136ADA8 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Function 0136590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 013644C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05354040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 04DD7C43 Relevance: 1.6, APIs: 1, Instructions: 90
windowCOMMON

Function 04DD7CD8 Relevance: 1.6, APIs: 1, Instructions: 82
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre