Edit tour

Windows Analysis Report
HBL BLJ2T2411809005 & DAJKT2411000812.exe

Overview

General Information

Sample name:	HBL BLJ2T2411809005 & DAJKT2411000812.exe
Analysis ID:	1566611
MD5:	256fe34a6161cbba558466708ed77ccd
SHA1:	570e4231de0facbb5e44c99d46ce5752c52f0fc9
SHA256:	537a4ce3b361be65fda8653311be0779be529e3d33b6f193cd60c6fb95f97e30
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HBL BLJ2T2411809005 & DAJKT2411000812.exe (PID: 5780 cmdline: "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

HBL BLJ2T2411809005 & DAJKT2411000812.exe (PID: 5896 cmdline: "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

HBL BLJ2T2411809005 & DAJKT2411000812.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

svchost.exe (PID: 5896 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

adobe.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

adobe.exe (PID: 7632 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

adobe.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

adobe.exe (PID: 7888 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

adobe.exe (PID: 7916 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

adobe.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 256FE34A6161CBBA558466708ED77CCD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evico", "Password": "Doll650#@"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5780	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5780	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7640	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7640	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7924	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x37e07:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32156:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321c8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32252:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3234e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32456:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f439:$s2: GetPrivateProfileString 0x2eb44:$s3: get_OSFullName 0x3016e:$s5: remove_Key 0x30313:$s5: remove_Key 0x31272:$s6: FtpWebRequest 0x32138:$s7: logins 0x326aa:$s7: logins 0x353bb:$s7: logins 0x3546d:$s7: logins 0x36dbe:$s7: logins 0x36007:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f586:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa18:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f682:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaa2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f714:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab34:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7f0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac10:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f886:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x6c869:$s2: GetPrivateProfileString 0xa7c89:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x6bf74:$s3: get_OSFullName 0xa7394:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x6d59e:$s5: remove_Key 0x6d743:$s5: remove_Key 0xa89be:$s5: remove_Key 0xa8b63:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x6e6a2:$s6: FtpWebRequest 0xa9ac2:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x6f568:$s7: logins
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x128626:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x163c56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x19f076:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x128698:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x163cc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x19f0e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x128722:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x163d52:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x19f172:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1287b4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x163de4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x19f204:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12881e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x163e4e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x19f26e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x128890:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x163ec0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x19f2e0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x128926:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x163f56:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x19f376:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x125909:$s2: GetPrivateProfileString 0x160f39:$s2: GetPrivateProfileString 0x19c359:$s2: GetPrivateProfileString 0x125014:$s3: get_OSFullName 0x160644:$s3: get_OSFullName 0x19ba64:$s3: get_OSFullName 0x12663e:$s5: remove_Key 0x1267e3:$s5: remove_Key 0x161c6e:$s5: remove_Key 0x161e13:$s5: remove_Key 0x19d08e:$s5: remove_Key 0x19d233:$s5: remove_Key 0x127742:$s6: FtpWebRequest 0x162d72:$s6: FtpWebRequest 0x19e192:$s6: FtpWebRequest 0x128608:$s7: logins 0x128b7a:$s7: logins 0x12b88b:$s7: logins 0x12b93d:$s7: logins 0x12d28e:$s7: logins 0x163c38:$s7: logins
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a656:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a5c86:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1e10a6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a6c8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a5cf8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1e1118:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a752:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a5d82:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1e11a2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a7e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a5e14:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1e1234:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a84e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a5e7e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1e129e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a8c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a5ef0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1e1310:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a956:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a5f86:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1e13a6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x167939:$s2: GetPrivateProfileString 0x1a2f69:$s2: GetPrivateProfileString 0x1de389:$s2: GetPrivateProfileString 0x167044:$s3: get_OSFullName 0x1a2674:$s3: get_OSFullName 0x1dda94:$s3: get_OSFullName 0x16866e:$s5: remove_Key 0x168813:$s5: remove_Key 0x1a3c9e:$s5: remove_Key 0x1a3e43:$s5: remove_Key 0x1df0be:$s5: remove_Key 0x1df263:$s5: remove_Key 0x169772:$s6: FtpWebRequest 0x1a4da2:$s6: FtpWebRequest 0x1e01c2:$s6: FtpWebRequest 0x16a638:$s7: logins 0x16abaa:$s7: logins 0x16d8bb:$s7: logins 0x16d96d:$s7: logins 0x16f2be:$s7: logins 0x1a5c68:$s7: logins
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe, ProcessId: 5912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe", ParentImage: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe, ParentProcessId: 5780, ParentProcessName: HBL BLJ2T2411809005 & DAJKT2411000812.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 5896, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe", ParentImage: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe, ParentProcessId: 5780, ParentProcessName: HBL BLJ2T2411809005 & DAJKT2411000812.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 5896, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Avira: detection malicious, Label: HEUR/AGEN.1306767

Found malware configuration

Source: 12.2.adobe.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evico", "Password": "Doll650#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Joe Sandbox ML: detected

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49750 version: TLS 1.2

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 213.189.52.181 213.189.52.181

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, SKTzxzsJw.cs

.Net Code: yMwXHKL8p

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Code function: 4_2_05749710 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0574A570,00000000,00000000

4_2_05749710

Installs a global keyboard hook

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 0_2_02FDDF0C	0_2_02FDDF0C
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029FF208	4_2_029FF208
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029FE700	4_2_029FE700
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029F4A90	4_2_029F4A90
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029F3E78	4_2_029F3E78
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029FB3B0	4_2_029FB3B0
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_029F41C0	4_2_029F41C0
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_057426E8	4_2_057426E8
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_057426DB	4_2_057426DB
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_057426A3	4_2_057426A3
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E6238	4_2_068E6238
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E2388	4_2_068E2388
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068EC1D8	4_2_068EC1D8
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E51E8	4_2_068E51E8
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068EAE78	4_2_068EAE78
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E79C8	4_2_068E79C8
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E5930	4_2_068E5930
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068EE400	4_2_068EE400
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E72E8	4_2_068E72E8
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068E8008	4_2_068E8008
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_0072DF0C	10_2_0072DF0C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02400040	10_2_02400040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_02400006	10_2_02400006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D4E030	12_2_01D4E030
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D4E8B8	12_2_01D4E8B8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D44A90	12_2_01D44A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D4ADA8	12_2_01D4ADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D43E78	12_2_01D43E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D441C0	12_2_01D441C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D4AE68	12_2_01D4AE68
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC6638	12_2_06FC6638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC2788	12_2_06FC2788
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC55E8	12_2_06FC55E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC7DC8	12_2_06FC7DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FCB280	12_2_06FCB280
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FCC1D8	12_2_06FCC1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC76E8	12_2_06FC76E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FCE400	12_2_06FCE400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC5D30	12_2_06FC5D30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC0040	12_2_06FC0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06FC0006	12_2_06FC0006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_0163DF0C	14_2_0163DF0C
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 14_2_0570A230	14_2_0570A230
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C2E030	16_2_00C2E030
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C241C0	16_2_00C241C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C2E8B8	16_2_00C2E8B8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C24A90	16_2_00C24A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C2ADA8	16_2_00C2ADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C23E78	16_2_00C23E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06446638	16_2_06446638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06442788	16_2_06442788
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06447DC8	16_2_06447DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_064455E8	16_2_064455E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_0644B280	16_2_0644B280
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_0644C1D8	16_2_0644C1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_064476E8	16_2_064476E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_0644E400	16_2_0644E400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06445D30	16_2_06445D30
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06440040	16_2_06440040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_06440011	16_2_06440011

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1275401231.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000000.1270033383.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePrivateOne.exe6 vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276879105.0000000003161000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3740156133.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HBL BLJ2T2411809005 & DAJKT2411000812.exe
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe	Binary or memory string: OriginalFilenamePrivateOne.exe6 vs HBL BLJ2T2411809005 & DAJKT2411000812.exe

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/3@2/2

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File read: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, XPE.cs	.Net Code: Polan System.AppDomain.Load(byte[])
Source: adobe.exe.4.dr, XPE.cs	.Net Code: Polan System.AppDomain.Load(byte[])

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Static PE information: 0x8976A1D5 [Fri Jan 30 17:54:29 2043 UTC]

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_0574BC00 push es; ret	4_2_0574BC10
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068EFC98 push esp; iretd	4_2_068EFC9D
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Code function: 4_2_068EFBD1 push eax; ret	4_2_068EFBDD
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D40C55 push edi; retf	12_2_01D40C7A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_01D4EED0 pushad ; ret	12_2_01D4EED1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C20C55 push edi; retf	16_2_00C20C7A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 16_2_00C2EED0 pushad ; ret	16_2_00C2EED1

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe	Static PE information: section name: .text entropy: 7.4070296863659
Source: adobe.exe.4.dr	Static PE information: section name: .text entropy: 7.4070296863659

Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.5950000.3.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.5950000.3.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Memory allocated: 4B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 35F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598572	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598189	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596186	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597233	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594920	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594519	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597997	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595181	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594187	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Window / User API: threadDelayed 2455	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Window / User API: threadDelayed 7365	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2503	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7255	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2193	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7650	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7432	Thread sleep count: 2455 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7432	Thread sleep count: 7365 > 30	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598712s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598572s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598189s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596186s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe TID: 7428	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7768	Thread sleep count: 2503 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7768	Thread sleep count: 7255 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599778s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597465s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -594920s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -594685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7752	Thread sleep time: -594519s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7908	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8052	Thread sleep count: 2193 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8052	Thread sleep count: 7650 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597997s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597884s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597607s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595181s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -595060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8048	Thread sleep time: -594187s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598712	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598572	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598189	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596186	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599778	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597465	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597233	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594920	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594519	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597997	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597884	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597607	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595181	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594187	Jump to behavior

Source: svchost.exe, 00000008.00000002.3741030905.000001A501E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000008.00000002.3740819227.000001A501E4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000008.00000002.3740819227.000001A501E51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: svchost.exe, 00000008.00000002.3740654353.000001A501E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000008.00000002.3740395455.000001A501E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000008.00000002.3741030905.000001A501E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000008.00000002.3741946676.000001A501F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000008.00000002.3741030905.000001A501E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: adobe.exe, 0000000C.00000002.1494393522.0000000001651000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3740868279.000000000101E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: svchost.exe, 00000008.00000002.3740819227.000001A501E51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: adobe.exe, 00000010.00000002.3743048720.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process created: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe"	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Process created: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe "C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q?<b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>{Win}r{Win}rTHdqD
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q8<b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>{Win}THdqD
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR_q`
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q><b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>{Win}r{Win}THdqD
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 12/16/2024 10:02:25<br>User Name: user<br>Computer Name: 648351<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.228<br><hr><b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>{Win}r{Win}r</html>
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q9<b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>{Win}rTHdqD
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $_q3<b>[ Program Manager]</b> (02/12/2024 10:59:44)<br>
Source: HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR_q4

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7924, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7924, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 12.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.42e1c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ed5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HBL BLJ2T2411809005 & DAJKT2411000812.exe.41ab580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HBL BLJ2T2411809005 & DAJKT2411000812.exe PID: 5912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7924, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	31 Input Capture	35 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	31 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	161 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	161 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
HBL BLJ2T2411809005 & DAJKT2411000812.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
HBL BLJ2T2411809005 & DAJKT2411000812.exe	100%	Avira	HEUR/AGEN.1306767
HBL BLJ2T2411809005 & DAJKT2411000812.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Avira	HEUR/AGEN.1306767
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
http://s4.serv00.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
s4.serv00.com	213.189.52.181	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.00000000028CC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s4.serv00.com	HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, HBL BLJ2T2411809005 & DAJKT2411000812.exe, 00000004.00000002.3745517310.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566611
Start date and time:	2024-12-02 14:19:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HBL BLJ2T2411809005 & DAJKT2411000812.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 239 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: HBL BLJ2T2411809005 & DAJKT2411000812.exe

Simulations

Behavior and APIs

Time	Type	Description
08:19:57	API Interceptor	7659137x Sleep call for process: HBL BLJ2T2411809005 & DAJKT2411000812.exe modified
08:20:10	API Interceptor	6425664x Sleep call for process: adobe.exe modified
14:19:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
14:20:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
213.189.52.181	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse
	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.189.52.181
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	1d5sraR1S1.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	P4toChrGer.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	zed.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	back.ps1	Get hash	malicious	Unknown	Browse	104.26.13.205
	zed.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	kyjjrfgjjsedf.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	kohjaekdfth.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	kthkksefd.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	jhnykawfkth.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Fonts.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	https://management.sigmaonline.ro/newsletter_re_news.php?from_email=&abonat_id=&newsletter_id=773&followLink=http://ezp-prod1.hul.harvard.edu/login?url=https://accotoxtnation.es/mime/#Y25pY2hvbHNAZGVyaWNrZGVybWF0b2xvZ3kuY29t	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7d	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWs	Get hash	malicious	HTMLPhisher	Browse	104.21.11.98
	https://atpscan.global.hornetsecurity.com/?d=m-jrZYNTvS7OucEG6zgopo_P-eFuotBy6khKzMMoLZ4&f=B3z_aD7k-FJHzGTgRypMC4okZ3IwSory4vTIxE3HdJ_vtmaZKtKUThjBimGO9ug0&i=&k=4AW8&m=GVQPkt_RSTiDpwD3aZUptFFr0zCshjoFLqhJ3NjtibWBkTpV22jDRnOpUHUftsT9uvGtNvEk65KPlyjsi0fzlHEgnGzER6prH6oEwQ6iGZMuyrzkW43X0VpXiLTd8OwU&n=LPqMxEbLmB_Zh1f7NoMu0JEABS3tNgPjYsrca87TqctDejHSuebypqLStQvhBN5eG43hQ2ReWbrTClyFyYZQHA&r=-0Amt46rVl0s1yn8_P2jWFIQhQ5qvzjVNyyZ7Ng6X4pWNR2O0BffN49tqRoSmkJg&s=ef9a322854c7503d3037fcbcda0a6c433cee94d107fe0a8ab1fda12b2f14509b&u=https%3A%2F%2Fsecure_sharing0utlook.wesendit.com%2Fdl%2FON6fQWpNLtFc53e1u%2FbWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWs	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.therooms.ca/sites/default/files/images/virtual-exhibits/rnr/3dobject_example.zip	Get hash	malicious	Unknown	Browse	1.1.1.1
ECO-ATMAN-PLECO-ATMAN-PL	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	185.36.171.17
	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	31.186.82.2
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	128.204.223.111
	http://bdvenlineabanven.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://ahksoch.serv00.net/x92gamy6wh/	Get hash	malicious	HTMLPhisher	Browse	128.204.218.63
	http://intesa-it.serv00.net/it/conto/	Get hash	malicious	Unknown	Browse	85.194.246.69
	https://spofity.serv00.net/spotify/auth/login.php	Get hash	malicious	Unknown	Browse	128.204.223.117

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	faktura461250706050720242711#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	11315781264#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	30180908_signed#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWs	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	asegurar.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205
	rAttached_updat.vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.13.205
	seemebestgoodluckthings.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	104.26.13.205

Process:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Download File

Process:	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	522240
Entropy (8bit):	7.394684871017393
Encrypted:	false
SSDEEP:	6144:42mQ0BNkLswVju5lVwpNGQlzh5GuVWbX8svn6MZTqpU+1ltHWG3xxnVD6nnn:48Ldj4Dwpblzh5GuVWzhqisltHWqznV
MD5:	256FE34A6161CBBA558466708ED77CCD
SHA1:	570E4231DE0FACBB5E44C99D46CE5752C52F0FC9
SHA-256:	537A4CE3B361BE65FDA8653311BE0779BE529E3D33B6F193CD60C6FB95F97E30
SHA-512:	907634D8505A0A78700FE9C7AACE67021BD8BBD8328CC1F63CA8CFD6CFF5FCC07690357FE45A5EFDFE5757492CF7294E5676A4E853F8B5E75218D499CF5747D3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v...............0.............^.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................@.......H........I..\.......L........?..........................................".(,....Vs-........s..........s..........~....o/....s-........Vs-........(Q...........sO...}......(P..... ... ....sQ...(R.....r...poS....j.(T.....(U....sI...(V....&.(,.....".......".([....VsS...(\...t.........F.~....(e....i...6.~.....(f...F.~....(e....i...6.~.....(f...F.~....(e....i...6.~.....(f...F.~....(e........J.~..........(g...F.~....(e....i...6.~.....(f...F.~....(e........*J.~

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.394684871017393
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	HBL BLJ2T2411809005 & DAJKT2411000812.exe
File size:	522'240 bytes
MD5:	256fe34a6161cbba558466708ed77ccd
SHA1:	570e4231de0facbb5e44c99d46ce5752c52f0fc9
SHA256:	537a4ce3b361be65fda8653311be0779be529e3d33b6f193cd60c6fb95f97e30
SHA512:	907634d8505a0a78700fe9c7aace67021bd8bbd8328cc1f63ca8cfd6cff5fcc07690357fe45a5efdfe5757492cf7294e5676a4e853f8b5e75218d499cf5747d3
SSDEEP:	6144:42mQ0BNkLswVju5lVwpNGQlzh5GuVWbX8svn6MZTqpU+1ltHWG3xxnVD6nnn:48Ldj4Dwpblzh5GuVWzhqisltHWqznV
TLSH:	28B4BF0D3A6059B5DA3985F1B8E3407D6B70B55261E2C42229CF1FDCADCEB404B972AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v...............0.............^.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x480d5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8976A1D5 [Fri Jan 30 17:54:29 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80d0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x5b6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x84000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7ed64	0x7ee00	f3fe2b57a51b3b7dd2bbe92017e68bb5	False	0.6460764316502463	data	7.4070296863659	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x5b6	0x600	d94fd2bf821d2183d1719c5f5b77eca4	False	0.41796875	data	4.079548048119175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x84000	0xc	0x200	a862b1cba24ea37ade4b4c9bf99c3c19	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x820a0	0x32c	data			0.4211822660098522
RT_MANIFEST	0x823cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 14:19:56.666629076 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:56.666671038 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:56.666821957 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:56.673712969 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:56.673734903 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:57.938107014 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:57.938225985 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:57.942675114 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:57.942683935 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:57.942965984 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:57.989347935 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:58.044884920 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:58.091330051 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:58.393472910 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:58.393543959 CET	443	49707	104.26.13.205	192.168.2.11
Dec 2, 2024 14:19:58.393646002 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:58.400103092 CET	49707	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:19:59.309859991 CET	49709	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:19:59.430053949 CET	21	49709	213.189.52.181	192.168.2.11
Dec 2, 2024 14:19:59.430155993 CET	49709	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:19:59.434665918 CET	49709	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:19:59.554755926 CET	21	49709	213.189.52.181	192.168.2.11
Dec 2, 2024 14:19:59.554856062 CET	49709	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:09.769798040 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:09.769841909 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:09.770114899 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:09.773680925 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:09.773695946 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.004793882 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.004925013 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:11.045969963 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:11.045984030 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.046322107 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.101876974 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:11.234616041 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:11.279333115 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.564970970 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.565021038 CET	443	49728	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:11.565073013 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:11.568355083 CET	49728	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:12.073657990 CET	49734	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:12.193619967 CET	21	49734	213.189.52.181	192.168.2.11
Dec 2, 2024 14:20:12.193691969 CET	49734	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:12.196187973 CET	49734	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:12.316803932 CET	21	49734	213.189.52.181	192.168.2.11
Dec 2, 2024 14:20:12.316859007 CET	49734	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:18.296086073 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:18.296129942 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:18.296210051 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:18.300077915 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:18.300100088 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:19.667088985 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:19.667190075 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:19.670197010 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:19.670206070 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:19.670475006 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:19.719502926 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:19.767330885 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:20.131300926 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:20.131371021 CET	443	49750	104.26.13.205	192.168.2.11
Dec 2, 2024 14:20:20.131443024 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:20.134267092 CET	49750	443	192.168.2.11	104.26.13.205
Dec 2, 2024 14:20:20.988517046 CET	49759	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:21.110188007 CET	21	49759	213.189.52.181	192.168.2.11
Dec 2, 2024 14:20:21.110268116 CET	49759	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:21.112919092 CET	49759	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:20:21.232863903 CET	21	49759	213.189.52.181	192.168.2.11
Dec 2, 2024 14:20:21.235960007 CET	49759	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:21:32.783992052 CET	49907	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:21:32.905145884 CET	21	49907	213.189.52.181	192.168.2.11
Dec 2, 2024 14:21:32.908123016 CET	49907	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:21:32.912005901 CET	49907	21	192.168.2.11	213.189.52.181
Dec 2, 2024 14:21:33.032042980 CET	21	49907	213.189.52.181	192.168.2.11
Dec 2, 2024 14:21:33.036207914 CET	49907	21	192.168.2.11	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 14:19:56.520045042 CET	65134	53	192.168.2.11	1.1.1.1
Dec 2, 2024 14:19:56.659849882 CET	53	65134	1.1.1.1	192.168.2.11
Dec 2, 2024 14:19:58.953334093 CET	55420	53	192.168.2.11	1.1.1.1
Dec 2, 2024 14:19:59.308744907 CET	53	55420	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 14:19:56.520045042 CET	192.168.2.11	1.1.1.1	0x39f6	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:19:58.953334093 CET	192.168.2.11	1.1.1.1	0xd545	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 14:19:56.659849882 CET	1.1.1.1	192.168.2.11	0x39f6	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:19:56.659849882 CET	1.1.1.1	192.168.2.11	0x39f6	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:19:56.659849882 CET	1.1.1.1	192.168.2.11	0x39f6	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:19:59.308744907 CET	1.1.1.1	192.168.2.11	0xd545	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49707	104.26.13.205	443	5912	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 13:19:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-02 13:19:58 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 13:19:58 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ebb9c94df8e8c2f-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1823&rtt_var=684&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1600877&cwnd=243&unsent_bytes=0&cid=b8210949d4c12731&ts=466&x=0"
2024-12-02 13:19:58 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49728	104.26.13.205	443	7640	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 13:20:11 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-02 13:20:11 UTC	424	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 13:20:11 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ebb9ce739b941a1-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1699&rtt_var=662&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1718658&cwnd=224&unsent_bytes=0&cid=bc71ff0dcbc18bac&ts=585&x=0"
2024-12-02 13:20:11 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49750	104.26.13.205	443	7924	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 13:20:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-02 13:20:20 UTC	427	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 13:20:19 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8ebb9d1cb92642c0-EWR server-timing: cfL4;desc="?proto=TCP&rtt=33550&min_rtt=1651&rtt_var=19597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1768625&cwnd=208&unsent_bytes=0&cid=20834c04afdbc09f&ts=468&x=0"
2024-12-02 13:20:20 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 Data Ascii: 8.46.123.228

Target ID:	0
Start time:	08:19:54
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe"
Imagebase:	0xd30000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1276953901.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:19:54
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe"
Imagebase:	0x3e0000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:19:54
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HBL BLJ2T2411809005 & DAJKT2411000812.exe"
Imagebase:	0x870000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3745517310.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3745517310.0000000002BDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:19:55
Start date:	02/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:20:07
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x40000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:20:08
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x3a0000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:20:08
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xf50000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.1498078671.000000000366C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.1498078671.0000000003641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.1493408156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:20:15
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xd70000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:20:16
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x240000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:20:16
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x510000
File size:	522'240 bytes
MD5 hash:	256FE34A6161CBBA558466708ED77CCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3747841517.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3747841517.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	6

Executed Functions

Function 02FDD349 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FDD3D6
GetCurrentThread.KERNEL32 ref: 02FDD413
GetCurrentProcess.KERNEL32 ref: 02FDD450
GetCurrentThreadId.KERNEL32 ref: 02FDD4A9

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 36655bd6c6adc9f714c66f38bbd72d5bc9b09b68e28100b63d78eb8440ff03d3
Instruction ID: c91432868f20785cba4c90c180e2500e22ff7b65299373ebb2b1cfd81dca9845
Opcode Fuzzy Hash: 36655bd6c6adc9f714c66f38bbd72d5bc9b09b68e28100b63d78eb8440ff03d3
Instruction Fuzzy Hash: 805176B59002098FDB58DFA9D648BDEBBF2EF48304F248459E009B73A0D734A984CF65

Function 02FDD358 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02FDD3D6
GetCurrentThread.KERNEL32 ref: 02FDD413
GetCurrentProcess.KERNEL32 ref: 02FDD450
GetCurrentThreadId.KERNEL32 ref: 02FDD4A9

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5daf8c759e1efdde34a619b721502ac997bb4216c4f7edf10d58c8a5a594e2ca
Instruction ID: 47ea9f536954da31f75e659785cf16e17caabf1fe1eae48d10410813a9f7e3ad
Opcode Fuzzy Hash: 5daf8c759e1efdde34a619b721502ac997bb4216c4f7edf10d58c8a5a594e2ca
Instruction Fuzzy Hash: 995177B09002098FDB58DFAAD648B9EBBF6FF48304F248459E009B7360D7356884CF65

Function 02FDB0D0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FDB326

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 97ecb5761a6ae28d9d5903dfb9d7fd9de5edaa818caabf0d662464c1205e2883
Instruction ID: 5885851f312a3b5520b3af063a67348068e3c97cca518f43f4e917147355da7f
Opcode Fuzzy Hash: 97ecb5761a6ae28d9d5903dfb9d7fd9de5edaa818caabf0d662464c1205e2883
Instruction Fuzzy Hash: 75713470A00B058FDB24DF29D54475ABBF2FF88348F148A2DD58ADBA50EB74E845CB90

Function 02FD590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FD59C9

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fd173a8b0623ad51b261948c7b2e44e3831a0fa93b535da91ab1f22b9ea87465
Instruction ID: a93866d7fe8a042ba73c7b07bfd1fd16b8bfb967cb7c55eee90e3dbabe237b83
Opcode Fuzzy Hash: fd173a8b0623ad51b261948c7b2e44e3831a0fa93b535da91ab1f22b9ea87465
Instruction Fuzzy Hash: C041F1B0C00629CFDB24DFA9C884B9DBBF6FF49308F64806AD408AB255DB756949CF50

Function 02FD4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02FD59C9

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f996d89dfa7bf012ed05f3e1653fac088971f23edbc7450834f163a8a79af7fb
Instruction ID: 99abbbf24dd3481a0fe3f25f2c3f1d69af4eef97980fe7981a446e608df77b54
Opcode Fuzzy Hash: f996d89dfa7bf012ed05f3e1653fac088971f23edbc7450834f163a8a79af7fb
Instruction Fuzzy Hash: 3E41F1B0D0061DCBDB24DFA9C984B9DBBB6FF49308F64806AD408AB255DB716949CF90

Function 02FDD5A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FDD627

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 70943e378bac4ec67ad6fa8d1c13e599bedea06fa4f5fc8d9533343a39cda745
Instruction ID: 69661c9fce35d5cda781182c79675d7623572af323e65258bd88a76ffaea13e2
Opcode Fuzzy Hash: 70943e378bac4ec67ad6fa8d1c13e599bedea06fa4f5fc8d9533343a39cda745
Instruction Fuzzy Hash: CF21C2B5D00248AFDB10DFAAD984ADEBFF9EB48310F14841AE918A3350D375A944CFA5

Function 02FDD599 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FDD627

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7d93ffe0299937c2d9a4b6f4354a9b72335d4b252bd4ad41668877f66246b53b
Instruction ID: 22ec410c083ec06870c25e86e94d958fa065b03684b0e24c56af8640bf04974f
Opcode Fuzzy Hash: 7d93ffe0299937c2d9a4b6f4354a9b72335d4b252bd4ad41668877f66246b53b
Instruction Fuzzy Hash: 8721E2B6D00208DFDB10CFAAD984ADEBBF5EB48314F14841AE918B3350D378A944CFA1

Function 02FDB2C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02FDB326

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c577b40193f9769842449c5477de5e8f83a6a7fe0f3490c74e1a7bdb1614a1d2
Instruction ID: 82a27aaee4d8c371855cff83e915809c25230e836e6d7298afe705d97cbfa2d3
Opcode Fuzzy Hash: c577b40193f9769842449c5477de5e8f83a6a7fe0f3490c74e1a7bdb1614a1d2
Instruction Fuzzy Hash: F011FDB5C003498BCB10DF9AD444A9EFBF5AB88214F15841AD518B7200D375A545CFA1

Function 016AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276206803.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69448f9a2f4f9f31d1509f203fd6b0acd607b1622d94f0f926e9b059a369a8ae
Instruction ID: 308982790823ac90387248125c53b1f681169ffefb1a2b3abe2f667d156fca8a
Opcode Fuzzy Hash: 69448f9a2f4f9f31d1509f203fd6b0acd607b1622d94f0f926e9b059a369a8ae
Instruction Fuzzy Hash: 742125B1504240DFDB05DF58DDC0B26BF65FB88318F64C569E9490B756C336D816CBA1

Function 016AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276206803.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b750662d975c231d27df9d97dbf6414a9dc4b1e501a3fa9fe5c6f3135fa0b034
Instruction ID: 22077158ece0a6df7f8937f68be5e1aa0fc40c1643d395f779e93cd5b205328c
Opcode Fuzzy Hash: b750662d975c231d27df9d97dbf6414a9dc4b1e501a3fa9fe5c6f3135fa0b034
Instruction Fuzzy Hash: 04214871100204DFDB01DF48CDC0B5ABF65FB88314F60C168E9090B75AC336E806CAA1

Function 016BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276256871.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39848274dc592df9dac0737eb5fa4078987b95562403e18ac91e0c8608485c7
Instruction ID: 595eda6eba86dc642d5b5aee18fbbadfaee6488237088cbcc40e79ec498c14ab
Opcode Fuzzy Hash: d39848274dc592df9dac0737eb5fa4078987b95562403e18ac91e0c8608485c7
Instruction Fuzzy Hash: 48210075604200DFCB15DF98D9C0B66BF65EB88318F20C5A9E80A0F396C33AD487CB61

Function 016BD006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276256871.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16bd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455010dbad98842a8233741ce998be2d3f0e6e69f9f7e0787cf6e83f1cf49dfb
Instruction ID: 22f77e9a885e18b2af04253cc28ebda99d4bfc87f604b7d2bdc533031939955d
Opcode Fuzzy Hash: 455010dbad98842a8233741ce998be2d3f0e6e69f9f7e0787cf6e83f1cf49dfb
Instruction Fuzzy Hash: 5B218E755093808FDB03CF24D9D4B15BF71EB46218F28C5DAD8498F2A7C33A984ACB62

Function 016AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276206803.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 8104a9c9fb910804221568e99c95272347b37dbeff289baf1497df53fe3b403c
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 2D11E172404280CFCB02CF54D9C4B1ABF71FB84314F24C6A9D8490B656C336D85ACFA1

Function 016AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276206803.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: a0099b6d249c16e9498ed5ade98945c67a3ca1a60027007dfa09f14d8de88c8e
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 0B11CD76404240DFDB02CF44D9C4B56BF61FB84224F24C2A9D9090A656C33AE85ACBA1

Non-executed Functions

Function 02FDDF0C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1276531102.0000000002FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fd0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad6ae59dbbb8a0d97bfff2865cc276ff07f5c2e0c06f9b7ca6b50f513f6993d
Instruction ID: a4a868a5fe491656bf4dadb5d55345d9ef6dc8b62e032b73f52c3fe08c9941ff
Opcode Fuzzy Hash: aad6ae59dbbb8a0d97bfff2865cc276ff07f5c2e0c06f9b7ca6b50f513f6993d
Instruction Fuzzy Hash: F6A16D36E002098FCF19DFB4C94099EB7B3FF89344B19856AE906AB265DB71E945CF40

Analysis Process: HBL BLJ2T2411809005 & DAJKT2411000812.exePID: 5912, Parent PID: 5780COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	141
Total number of Limit Nodes:	16

Executed Functions

Function 068E2388 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

$_q, xrefs: 068E37A7
$_q, xrefs: 068E37F4
$_q, xrefs: 068E37DC
$_q, xrefs: 068E37D0
$_q, xrefs: 068E3800
$_q, xrefs: 068E37B3

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: 88e0643fdb00e2fd90f9e4a23559f85a159b2dc3a643ae1d169db6c64c541697
Instruction ID: 4765b8b8ecb5b5321de7ecf9a1cd8970dab30d09db1c66676619c1f2cb221e82
Opcode Fuzzy Hash: 88e0643fdb00e2fd90f9e4a23559f85a159b2dc3a643ae1d169db6c64c541697
Instruction Fuzzy Hash: 03D25834E10609CFDB64DB68C594A9DB7F2FF8A304F5485A9D509EB265EB30ED81CB80

Function 068E79C8 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 068E7D05
$_q, xrefs: 068E7D11

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 150d3b08fbaf5f79943552519abaef22f46c28992af1982b8845d75b4df91f63
Instruction ID: e65f4d24fd0653d260030b0c80b3722e976e02a53cca707f8fb062489bf53bbd
Opcode Fuzzy Hash: 150d3b08fbaf5f79943552519abaef22f46c28992af1982b8845d75b4df91f63
Instruction Fuzzy Hash: 5C029D30B102069FDB58DB74D594AAEB7E2FF89304F248569E509DB398DB35EC46CB80

Function 068E5930 Relevance: 2.9, Strings: 2, Instructions: 409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPdq, xrefs: 068E5BE2
\Odq, xrefs: 068E5A5E

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: XPdq$\Odq
API String ID: 0-770551486
Opcode ID: 83fea170582702885b9797f4a7db1f0082883de1294289330950b6d503091f0f
Instruction ID: 330ed2ec9b5b798a4bc897a9edc49e8b5eb06817ac41bbcfa09084b8be76ad83
Opcode Fuzzy Hash: 83fea170582702885b9797f4a7db1f0082883de1294289330950b6d503091f0f
Instruction Fuzzy Hash: 79D10331F101148FDB54DB68D4946AEBBF2FF8A318F21846AD55ADB351CA32DC41CB92

Function 068E51E8 Relevance: 1.8, Strings: 1, Instructions: 588COMMON

Download Yara Rule

Strings

$, xrefs: 068E5539

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 8d342201b9d5ded54b5abf481c3404f07eadebac00003f6c05b38fd2520609ec
Instruction ID: 024610ea0f04705301ea119222f8807380b7de313d8e2a911d6c4c30c975dd0f
Opcode Fuzzy Hash: 8d342201b9d5ded54b5abf481c3404f07eadebac00003f6c05b38fd2520609ec
Instruction Fuzzy Hash: 5D22F375E002159FDF64CBA4C5806AEBBB2FF86318F24846AD519EB344DB72DC41CB92

Function 05749710 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0574A570,00000000,00000000), ref: 0574A783

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 70be49393b88187587da2c6f554e582105f2a9f8e174b1f81c101bce479f68dd
Instruction ID: 51311f0d755c7ef902f79e2925afa40e6d121816b9811e9074d145551885a944
Opcode Fuzzy Hash: 70be49393b88187587da2c6f554e582105f2a9f8e174b1f81c101bce479f68dd
Instruction Fuzzy Hash: 4C2127B5D042099FCB54DF9AC844BEEFBF6FB88310F10842AE419A7250D775A944CFA1

Function 068E6238 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5692adb5c032b76cd96ac40e1f5faa60a4f6453cbd9b311ad87740852712f2c4
Instruction ID: bdb45eae040d7439a592ccaf1617e2c74e5b6081dc161e0a746365f09a9d4e2d
Opcode Fuzzy Hash: 5692adb5c032b76cd96ac40e1f5faa60a4f6453cbd9b311ad87740852712f2c4
Instruction Fuzzy Hash: F962C034B102058FDB64DB68D594AADB7F2FF89314F148469E51ADB394EB31EC86CB80

Function 068EC1D8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd8a909a557d355a84a71eef14d724ad9bbf3e2023cbd31e4f9b400741e2909
Instruction ID: 8a18ad900700b19d106e3af3dc5a28116f47cf77577095eab2e8a04d87c56f86
Opcode Fuzzy Hash: 8bd8a909a557d355a84a71eef14d724ad9bbf3e2023cbd31e4f9b400741e2909
Instruction Fuzzy Hash: 2932CF34F102098FDB54DB68D990BADBBB2FB89314F108529E525EB395DB34EC42CB91

Function 068EAE78 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee0fdae392c31af4322864329ba31ba1016b9fcc9d229d24cc87af504378ff0
Instruction ID: 62e25b180ff87c1063763387dc2b632413eca6b56e57e1770ddaa27389da847f
Opcode Fuzzy Hash: 1ee0fdae392c31af4322864329ba31ba1016b9fcc9d229d24cc87af504378ff0
Instruction Fuzzy Hash: 1A226230E102098BEF64CBA8D6907AEB7B2FB4A314F20882AE515DB395DA35DC45CB51

Function 068EA910 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 068EAA84
$_q, xrefs: 068EAA3D
$_q, xrefs: 068EAABF
$_q, xrefs: 068EAA90
$_q, xrefs: 068EAA31
$_q, xrefs: 068EAAE8
$_q, xrefs: 068EAAB3
$_q, xrefs: 068EAADC

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: bc71af46fb6a1331ff47bf618bed06dec2ec4df975b27ac7fbb44ca2aea8697b
Instruction ID: d2262daea761879c06aabbf60db45a73c564a913fe4e426e34b11835b10e1e80
Opcode Fuzzy Hash: bc71af46fb6a1331ff47bf618bed06dec2ec4df975b27ac7fbb44ca2aea8697b
Instruction Fuzzy Hash: 83E18D30F1020A8FDB68DBA8D5906AEB7F6FF85704F208529D519EB354DB35E846CB81

Function 05746D81 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05746E0E
GetCurrentThread.KERNEL32 ref: 05746E4B
GetCurrentProcess.KERNEL32 ref: 05746E88
GetCurrentThreadId.KERNEL32 ref: 05746EE1

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a4452f41b23fc36acc16b0043931289c96ce4bfae55422eb0e76ff42c085fe08
Instruction ID: 87363eb3783ae564d07bcd35aafab0734b4eb7e8b927ed2c793a1088b2ee350f
Opcode Fuzzy Hash: a4452f41b23fc36acc16b0043931289c96ce4bfae55422eb0e76ff42c085fe08
Instruction Fuzzy Hash: CB5144B09002499FDB54DFAAD948B9EBFF1BF49304F248469E119A7260D734A948CF61

Function 05746D90 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05746E0E
GetCurrentThread.KERNEL32 ref: 05746E4B
GetCurrentProcess.KERNEL32 ref: 05746E88
GetCurrentThreadId.KERNEL32 ref: 05746EE1

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 09a7a0063248338c7e9bf37badfbd28a9259667e35189e36bc7a52f684a5c2cc
Instruction ID: cfc8204735c701bdbb3c5bd4ac19cd3c5512e1f805a051d2bb19dcc2ea07f0d9
Opcode Fuzzy Hash: 09a7a0063248338c7e9bf37badfbd28a9259667e35189e36bc7a52f684a5c2cc
Instruction Fuzzy Hash: 875164B09002098FDB54CFAAD948B9EBBF1BF49304F24C069E119B7260D734A848CF65

Function 068E8D98 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 068E8E1A
$_q, xrefs: 068E8DDF
$_q, xrefs: 068E8E26
$_q, xrefs: 068E8DEB

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: 6f1a3a553a17fc5adf5b3b527f4e015dbc9167925202b12aba655a02ab1e07c5
Instruction ID: a85816f717acd18f9ea2aa4eccec8e103bdd32f23d64cb99ccd8e5db389f97dc
Opcode Fuzzy Hash: 6f1a3a553a17fc5adf5b3b527f4e015dbc9167925202b12aba655a02ab1e07c5
Instruction Fuzzy Hash: 8F918070B1020A9FDB54DF64D9547AEB3F6BB89304F108569C909EB388EF709D46CB91

Function 068ECFA0 Relevance: 4.6, Strings: 3, Instructions: 803
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 068ED397
$_q, xrefs: 068ED39F
$_q, xrefs: 068ED3AB

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q
API String ID: 0-2441406858
Opcode ID: a1a911c847d9547ca581f9a3819802d3a7aa6a4d819cba68d73cf185e42850b6
Instruction ID: bec93ed392b0ed948f75c1ef1d7874516ee06f4538f645c947d998591ff937ba
Opcode Fuzzy Hash: a1a911c847d9547ca581f9a3819802d3a7aa6a4d819cba68d73cf185e42850b6
Instruction Fuzzy Hash: 98624030A007068FCB55EB68D690A5DB7F2FF85308B208969D419DF769DB75EC4ACB80

Function 068E47B0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPdq, xrefs: 068E4901
fdq, xrefs: 068E47DB
\Odq, xrefs: 068E498B

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: fdq$XPdq$\Odq
API String ID: 0-727959394
Opcode ID: 35a5d64279b932981991f8f8e879102d3f144eb8b9b9a7e7c5b0d4c4d3bf45cf
Instruction ID: 90425e81da598f0f64bb9695b8942b0250f9265dbeb367ba0e4c8dd68ff1adda
Opcode Fuzzy Hash: 35a5d64279b932981991f8f8e879102d3f144eb8b9b9a7e7c5b0d4c4d3bf45cf
Instruction Fuzzy Hash: 5C617C74E102099FEB549BA4C8587AEBBF6FB89304F208429E10AEB395DF754C458F90

Function 068E8D89 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 068E8E1A
$_q, xrefs: 068E8DDF

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 2549ef1ed45b1fb0e0db59e761c739ecec3c878e946aaa26abedb729f7172851
Instruction ID: 814cd72acb3a4182dbe92668e21ffeee90de85965b49b2178835decc4721549e
Opcode Fuzzy Hash: 2549ef1ed45b1fb0e0db59e761c739ecec3c878e946aaa26abedb729f7172851
Instruction Fuzzy Hash: D8518170B102069FEB54DF74D951BAEB3F6AB89704F108569C909DB798EB30DC02CB91

Function 068E47A0 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPdq, xrefs: 068E4901
fdq, xrefs: 068E47DB

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: fdq$XPdq
API String ID: 0-3173836435
Opcode ID: db56d9ea77cb21557652faed034de897b76aa846dbe779a3c7a2ebdb98d6ea7c
Instruction ID: 5a0fae1d10bfc560c82cf29a8fe496ac596c0c4b1aadfe81aa3d93d9ad527d7c
Opcode Fuzzy Hash: db56d9ea77cb21557652faed034de897b76aa846dbe779a3c7a2ebdb98d6ea7c
Instruction Fuzzy Hash: 3B517074F102099FEB589FA5C8547AEBBF6BF88300F208469E15AEB395DB715C05CB90

Function 029FF733 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 029FF7DF

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fbdfc70dedf3c91b63c1413d47352f09d1df7eb0d34de0775a989a954b06fdb6
Instruction ID: d7fa72f27af12e7b2acb70271426f322cc780552470eea2b3cd9e668becdaeef
Opcode Fuzzy Hash: fbdfc70dedf3c91b63c1413d47352f09d1df7eb0d34de0775a989a954b06fdb6
Instruction Fuzzy Hash: 8A410471D143599FCB54CFBAC84829EBFF5AF89310F1585AAD404A7681EB749844CBE0

Function 05746B9C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05747F29

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 17b20dbee241c14b389451c87229925490930958d0b2abf485bb3006fa3fb16b
Instruction ID: 960c9b10301e4c41cfc2aa0637b517147db176c29a46394569727c058e7e60f0
Opcode Fuzzy Hash: 17b20dbee241c14b389451c87229925490930958d0b2abf485bb3006fa3fb16b
Instruction Fuzzy Hash: 96414CB5900309DFCB14CF99C488AAABBF5FF88314F25C459E519AB321D335A842CFA0

Function 05748BAD Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05748C40

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 57c879a1e237dcf06cd29cb44cb0f6498df2e000301476bc4ef2784437af0dd3
Instruction ID: 3c1ccbd8c1113012fc34939f377eb2f82e0c41621b5117fdcdc9f1fbddb3b70e
Opcode Fuzzy Hash: 57c879a1e237dcf06cd29cb44cb0f6498df2e000301476bc4ef2784437af0dd3
Instruction Fuzzy Hash: A13110B0D01248DFDB10CF99C984B9EBBF5AF49304F248059E404BB394D7B45844CFA5

Function 05748BB8 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05748C40

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 87584d5bd4f8a786bf649b1c51b4e429c40810de7a19394d1163a8755cdf1055
Instruction ID: 33cf3d518ac444d5856d6d7d579fed2983072b43633c5688c7d2f869a8994bfa
Opcode Fuzzy Hash: 87584d5bd4f8a786bf649b1c51b4e429c40810de7a19394d1163a8755cdf1055
Instruction Fuzzy Hash: 64310EB0D01208DFDB10CF99C984B9EBBF5AF48304F208069E404BB394D7B4A884CFA6

Function 029F7800 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 029F86D0

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 6df08afb7c2a47199a5170f88f99349016792151e8984cec5864227e138b2f4a
Instruction ID: 4556acd9c59bc05f8ca7b7489a7c3dbda4c86ee1c254252f40c526e9b73791c8
Opcode Fuzzy Hash: 6df08afb7c2a47199a5170f88f99349016792151e8984cec5864227e138b2f4a
Instruction Fuzzy Hash: D52107B6C012099FCB90CF99D984ADEFBF5FB88310F24845AE918BB204D3759944CBA4

Function 029F863B Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 029F86D0

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f9ab464ad02a0c3211fd7248d4c4cd50afc4b3a742da11c7ec355a448940362a
Instruction ID: 888d091c2d2c9a4e702f87628399c9dbdb6f9b7a4334d576d1ff3c5e126882ab
Opcode Fuzzy Hash: f9ab464ad02a0c3211fd7248d4c4cd50afc4b3a742da11c7ec355a448940362a
Instruction Fuzzy Hash: D221EAB6C012099FCB90CF99D984ADEFBF5FB88314F14845AD918BB204D7755944CBA4

Function 05746FD0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0574705F

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6aa0775d40c6f913e07902fedbe1c288ebb299941c61fb4f721367b3682d4994
Instruction ID: f28413219d5b35b66915c5206c056f59c38a5d2c6f6210277659bd133673f052
Opcode Fuzzy Hash: 6aa0775d40c6f913e07902fedbe1c288ebb299941c61fb4f721367b3682d4994
Instruction Fuzzy Hash: F92103B5900249AFDB10CFA9D984AEEBFF4FB48310F14801AE918A7210D374A944DF64

Function 05746FD8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0574705F

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0c36e1059556668f3e3168b126e88202d1c1998893e63652c1f6c67558eab95
Instruction ID: 227b0b1321fcdbc28d7f45baafd725cadcfc9cac0229141b5346a6b94d2f597a
Opcode Fuzzy Hash: e0c36e1059556668f3e3168b126e88202d1c1998893e63652c1f6c67558eab95
Instruction Fuzzy Hash: 0F21C6B59012489FDB10CFAAD584AEEBFF4FB48310F14841AE914A7350D375A944DFA5

Function 0574A700 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0574A570,00000000,00000000), ref: 0574A783

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c253d97ea1b75ffe08ff35f6f815619fb48fe758f316cdf0e15ca7cc03906e33
Instruction ID: 5f25f55b7083be46d8f9761f6c85a2a7b64dc5d7eee0dcbc2e25dd8b83959078
Opcode Fuzzy Hash: c253d97ea1b75ffe08ff35f6f815619fb48fe758f316cdf0e15ca7cc03906e33
Instruction Fuzzy Hash: 8F2104B59042099FDB24DFAAC844BEEFBF5FB88310F10842AE459A7250D775A944CFA1

Function 029F77D8 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 029F80D8

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 69db96093e39ee7854dc503930a4f377818b42e4217feadb299091772ae6ee87
Instruction ID: 4d287be4d302d94b92def405d656ef4a9609963214fe3be132a1371da56d0b54
Opcode Fuzzy Hash: 69db96093e39ee7854dc503930a4f377818b42e4217feadb299091772ae6ee87
Instruction Fuzzy Hash: 6C2144B1C006199BCB90CF9AC545AEEFBF4FB08320F15822AD918B7640D378A944CFE1

Function 029F8063 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 029F80D8

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e1f834dc27fcf050621188d56b94c6d5105b680a2655238a6643977661ad4261
Instruction ID: 5f391e54718532e8c9b088ef3635ad3773db46298041905286cac8517069cf4a
Opcode Fuzzy Hash: e1f834dc27fcf050621188d56b94c6d5105b680a2655238a6643977661ad4261
Instruction Fuzzy Hash: BD2136B1C006199BCB54CF9AC5457DEFBF4FB48320F15812AD918B7640D378A944CFA5

Function 029FF778 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 029FF7DF

Memory Dump Source

Source File: 00000004.00000002.3744990147.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_29f0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 56182e725b126e358fd7fdb245701ad91a7fa7675d8c7b553ed99d70ea553439
Instruction ID: 0a68919d276907b971d10cf85dc5806835bc53471f624c7e80c6889c20887bfa
Opcode Fuzzy Hash: 56182e725b126e358fd7fdb245701ad91a7fa7675d8c7b553ed99d70ea553439
Instruction Fuzzy Hash: FE11E2B1C0065A9BCB10DF9AC545ADEFBF4AB48320F15816AD918B7240D378A944CFA5

Function 057484A0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05748AC5

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 30c4e4b551bc1e8df7edb9bec227434618cad124de00f46f8280e148ef08cfbc
Instruction ID: 59a5844e6f3d720582851c6030f90ab19c0a7f6849c02a67c5d37ef36f1400d2
Opcode Fuzzy Hash: 30c4e4b551bc1e8df7edb9bec227434618cad124de00f46f8280e148ef08cfbc
Instruction Fuzzy Hash: DC1145B19003488FCB20DF9AD444B9EBFF4EB49310F208419D519B3310D374A944CFA5

Function 05746BF4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0574817D), ref: 05748207

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 45f802d8723391f2864acf3df50688f5175dcfe06cd1e4bcc25fa7ec5da4aa48
Instruction ID: 4a73c1e7e278bb0462cf853d81b433e9a9c2a2c50645304b7f4745cc309d68cd
Opcode Fuzzy Hash: 45f802d8723391f2864acf3df50688f5175dcfe06cd1e4bcc25fa7ec5da4aa48
Instruction Fuzzy Hash: 8C1100B5804648CFCB20DF9AD888BDEFBF8EB49320F20845AD519A7250D375A944CFA5

Function 057481A1 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0574817D), ref: 05748207

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: acdd99373ef5bd61feabf54b06e10fff56afa473b07e24633c4bb3da96b9e774
Instruction ID: ca4a3eb5b7c22c7cd4be7d29b70bcf0559e9b4cadc37cf51864eeeda483f92e7
Opcode Fuzzy Hash: acdd99373ef5bd61feabf54b06e10fff56afa473b07e24633c4bb3da96b9e774
Instruction Fuzzy Hash: 1F1100B1800649CFCB20DF9AD984BDEFFF8EB49324F20842AD559A7250D375A944CFA5

Function 05748A69 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05748AC5

Memory Dump Source

Source File: 00000004.00000002.3757571100.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5740000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6d40a563e95b80734084eebc12c4377a5e5569adf79b04e1216265a8630a7e2f
Instruction ID: 4af885dc9add7a2d579c977a9eddf66ed815f97fb6e5211a4f0a9f64a07e1227
Opcode Fuzzy Hash: 6d40a563e95b80734084eebc12c4377a5e5569adf79b04e1216265a8630a7e2f
Instruction Fuzzy Hash: ED1133B19002488FCB20DFAAD484BDEBFF8EB48320F248459D519A3200C378A544CFA5

Function 068EDB28 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068EDC71

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: d93fe4d1bf38612501dd49f70c4f698cd689ea4eb0ec374b9b7202fae60cbba5
Instruction ID: 3de919591b5e467bd8915f1cddfda46eec407a0c1a9bdf1db91c555abfd17b5e
Opcode Fuzzy Hash: d93fe4d1bf38612501dd49f70c4f698cd689ea4eb0ec374b9b7202fae60cbba5
Instruction Fuzzy Hash: DD419D74F0060A9FDB64DF65D4546AEBBB2BF86344F108929E405EB344EB74A84ACB81

Function 068EFCA8 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068EFDBA

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 6c406b70c58b16fdae5ef813cfd8a6b42772a2e4a7858bff583f490d8787f4f2
Instruction ID: 90154984d478d1651730e5f23c58cabc82c55305521e75cc0e6087634086c2f2
Opcode Fuzzy Hash: 6c406b70c58b16fdae5ef813cfd8a6b42772a2e4a7858bff583f490d8787f4f2
Instruction Fuzzy Hash: 9D31F034B002068FDB69AB78D55466F7BE7EF89218F204928E606DB389DF35DD01C791

Function 068EDB1B Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068EDC71

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: f0b6279400b8d80b6179c4bb9eb0ce9d4e46ce344730e606cb21507d6513dc4f
Instruction ID: 56a7e2370bdfe76cf16914b53e981726c9f7f9b64bdf3b536e155f756e8b5c87
Opcode Fuzzy Hash: f0b6279400b8d80b6179c4bb9eb0ce9d4e46ce344730e606cb21507d6513dc4f
Instruction Fuzzy Hash: 4541A030F006099FDB65DF65D4446AEBBB6FF86344F108929E415EB344EB70E84ACB81

Function 068E21F7 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068E233B

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 6dfd0e6da47302c50cfa52b9d108114b3d88d3ecabbe36c0468d6ec2005c2093
Instruction ID: 52968495f198371002b7a7fb48e20f09cb77ffc40e0330d9fbc240e84d8c3fa4
Opcode Fuzzy Hash: 6dfd0e6da47302c50cfa52b9d108114b3d88d3ecabbe36c0468d6ec2005c2093
Instruction Fuzzy Hash: 95310330B102058FDB59AB74D56866F7BEBAB8A304F104928D506DB395DF35DE02CB91

Function 068E2200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068E233B

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: fd94c6c04a5d638f05f64817f9598b9b0a491e5012eee3562ad33fa02e5ea3d8
Instruction ID: eda62966c8b68576c87898a281b7df97c747573920d48fd5d117337468e1b36e
Opcode Fuzzy Hash: fd94c6c04a5d638f05f64817f9598b9b0a491e5012eee3562ad33fa02e5ea3d8
Instruction Fuzzy Hash: A3310230B102058FDB59AB74D52466F7AEBAF89304F204928D506DB399DF35DE02CB91

Function 068EFC9F Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

PH_q, xrefs: 068EFDBA

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 0c5c98c822ff1926f5d7577136392335e17086e71a4e270c63a9a98af2db5447
Instruction ID: 60e6c11e5e1a553d2e184bf95b80cad425dc688c5925c49ee178fa4795c9d295
Opcode Fuzzy Hash: 0c5c98c822ff1926f5d7577136392335e17086e71a4e270c63a9a98af2db5447
Instruction Fuzzy Hash: AD31DF35B002059FEB69AB74D15866F7BE3AF89614F104928D602DB389EF34DC02CBD1

Function 068EFBD1 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 068EFC30

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 8f7ee49cfac071da45c7b2289f317d083ffae14e972ae153e77c2bcd4a2e0127
Instruction ID: 29aa8a98c5c54581b823eea3fd0f7fd8c18301aaaf981cbeb2fb8206328cb2dd
Opcode Fuzzy Hash: 8f7ee49cfac071da45c7b2289f317d083ffae14e972ae153e77c2bcd4a2e0127
Instruction Fuzzy Hash: 81117F74F002149FDB54DB788805B6D7BF5AF8C710F104469E60ADB390DB399D01DB81

Function 068EFBDE Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 068EFC30

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: c4db3aa2d57b189b6930f42bc77b5a526100153b39bd5f75a0379082eb790017
Instruction ID: a714d2bca08aa14f014a69942dc9ae3473d31549db7f8a4aab5c80ddbf71983d
Opcode Fuzzy Hash: c4db3aa2d57b189b6930f42bc77b5a526100153b39bd5f75a0379082eb790017
Instruction Fuzzy Hash: 3A112E74B102249FDB54DB788805B6D7BF5AF4C710F108469E90AEB390EB79AD01CB91

Function 068EFBE0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 068EFC30

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 0059e00f9fa8f3121a41ba58fabcb8ee4ead2e345e7d1370d2f02956420cbbfe
Instruction ID: 4035e9a9cdb5bc180ad84f16a498de84b0872cb5d3f6dadc410a870f7b0388ba
Opcode Fuzzy Hash: 0059e00f9fa8f3121a41ba58fabcb8ee4ead2e345e7d1370d2f02956420cbbfe
Instruction Fuzzy Hash: F5115E74B002249FDB44DB788805B6D7BF5AF4C700F108469EA0ADB390DB39AD00CB81

Function 068EAE6A Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c751af7a3108d4cdfdeda1a8cbe696aa2b8a53cff165a773c6c4bc2b40722b46
Instruction ID: 2f3bc199a53c23af2d71d3057b0e47e1fc7cc4e9c4f28cead1fd329567640f10
Opcode Fuzzy Hash: c751af7a3108d4cdfdeda1a8cbe696aa2b8a53cff165a773c6c4bc2b40722b46
Instruction Fuzzy Hash: 05A1A730F102099BEF68DBACC6947AEB7F6FB8A310F204829E515E7395DA35DC418B51

Function 068E5E30 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df4816c32984a82bed1d2a8eda41af65f5fe7ff25b495a5e874c2396311429c
Instruction ID: d8acda7419d12439e38c05e13a7b6660aaaeea30bd8ea26ed04525025fe95e3b
Opcode Fuzzy Hash: 9df4816c32984a82bed1d2a8eda41af65f5fe7ff25b495a5e874c2396311429c
Instruction Fuzzy Hash: EE61D1B1F004224FDF549A7DC88066FBADBAFC5224B254439E90EDB364DE66DD0287D2

Function 068E3EE0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d987d39a2ccc6c712720d0e511569b231a0783f407031266a8324ea467c81cad
Instruction ID: c3df4473b1fd2867ca342a349a35d1d5fa2e48ba6c774d7e0eaeefd940e54dfb
Opcode Fuzzy Hash: d987d39a2ccc6c712720d0e511569b231a0783f407031266a8324ea467c81cad
Instruction Fuzzy Hash: 5C815C34B1020A8FDF54DFB4D5547AEB7F6AB89304F108429E50ADB398EB74EC468B91

Function 068E3EF0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ee8bdf9d267790da35f1b09bb9cce100b1d771920af7a96d66727c4bca752b
Instruction ID: e10899d22befd64dda425394db01393f31ffd56801ce7b2d9726b94cea267ab2
Opcode Fuzzy Hash: 87ee8bdf9d267790da35f1b09bb9cce100b1d771920af7a96d66727c4bca752b
Instruction Fuzzy Hash: C5814B30B102098BDF54DBA8D5547AEB7F6AB89304F108429E50ADB398EB74EC468B91

Function 068E4200 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c4d21be687c84390d35c118de0988aa4d2cfff5138e958aa478262a1802e05
Instruction ID: f6105bcc6504ef66ad3173a1c516428009cf27fcbaee614dfb888de565a5caad
Opcode Fuzzy Hash: f8c4d21be687c84390d35c118de0988aa4d2cfff5138e958aa478262a1802e05
Instruction Fuzzy Hash: A7913C34E1061A8BDF60DF64C880B9DB7B1FF8A304F20859AD54DEB255DB70AA85CF51

Function 068E4218 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f8e49f7411d37b6c8a92e7fc4e119238d605f6809c1443fa08f291b0ee27b7
Instruction ID: b5e5967bab7e43d98fd40bd564fdf3109ce08bde5346ccf197d883108df44859
Opcode Fuzzy Hash: e4f8e49f7411d37b6c8a92e7fc4e119238d605f6809c1443fa08f291b0ee27b7
Instruction Fuzzy Hash: 7B913B30E1061A8BDF64DFA8C880B9DB7B1FF89304F208599D54DEB255DB70AA85CF50

Function 068EEB73 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325d51ca60de9aac55985a60073141616663d032c86b50b4b6b4d767152c39f0
Instruction ID: fa3034bb315e48cc59e119f9450fc52a910495e3e8676cdc7b6cd4125a912236
Opcode Fuzzy Hash: 325d51ca60de9aac55985a60073141616663d032c86b50b4b6b4d767152c39f0
Instruction Fuzzy Hash: 99712B34F002099FDB54DBA8C984AADBBF6FF85304F248429D119EB355DB30E846CB50

Function 068EEB80 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26b3ba6718fe5ac8125ba60cc2d2723b2b747dc7267bdeaf1a15c9baef6ecff
Instruction ID: abef60783dda2b6ac26063cc6ae456dee1ebd64f3260330671e0d2a3ae585aff
Opcode Fuzzy Hash: a26b3ba6718fe5ac8125ba60cc2d2723b2b747dc7267bdeaf1a15c9baef6ecff
Instruction Fuzzy Hash: F0712934F002099FDB54DBA9C984AADBBF6FF85304F248429E519EB359DB30E846CB51

Function 068EF5B8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c80b3b9ca706af5302dd6c5f19b21f91c487615110d15ce09d446cc1cf2667
Instruction ID: 1eeeddfc60c99c7060267752c08bfc797e17ceff369b0e5be3e577d2bf6af3d1
Opcode Fuzzy Hash: 24c80b3b9ca706af5302dd6c5f19b21f91c487615110d15ce09d446cc1cf2667
Instruction Fuzzy Hash: 9251FC30B102059BEF64566CDE5473F366BD78A314F10482AF70AC77E9DA38CC4587A2

Function 068EF818 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa48f1524e33714b0a9ad9f8ed839e4f8cfc0103e46aea8b2449110b802346d
Instruction ID: 9edc4aa5111acf460417ec0e1030e91afb0127680ec1d176f7f6e09801fbac0f
Opcode Fuzzy Hash: 1fa48f1524e33714b0a9ad9f8ed839e4f8cfc0103e46aea8b2449110b802346d
Instruction Fuzzy Hash: BC51D131E01105DFDB54EF79E4446ADBBB2EF86319F108869E20AEB250DB359855CB81

Function 068EF5C8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626007c231ad4eedf83ac34c02fcc2601686e5c0780cc8651c74c038075cc888
Instruction ID: 6865350138a63e2a402e70d2fe01ed93ebaf77cf0c2b7472bac1427c9e6a24a5
Opcode Fuzzy Hash: 626007c231ad4eedf83ac34c02fcc2601686e5c0780cc8651c74c038075cc888
Instruction Fuzzy Hash: 1551D730B102159BEF64566CDA5472F366BE78A314F20482EF70AC77E9CE78CC4587A2

Function 068E51D7 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee0646232570bd56683f1022105f33921730a678166e372868b522b344f162f
Instruction ID: 6cefd000681ec00ed13203bfe73e503b7a80ada150722aa3ba78829e18541dab
Opcode Fuzzy Hash: 5ee0646232570bd56683f1022105f33921730a678166e372868b522b344f162f
Instruction Fuzzy Hash: 5051A870E002054FDF718BA9C48077EFBB2FB47318F248829E559DB285C676D841CB92

Function 068E5068 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6668abf7e06345d2f5d541391f1efde8eed778112cb33789610cacb05d69f21
Instruction ID: c70e503c2acd8eb1773ac1cca1e74e436be3ccbdc7324966d1fd2a371816076f
Opcode Fuzzy Hash: b6668abf7e06345d2f5d541391f1efde8eed778112cb33789610cacb05d69f21
Instruction Fuzzy Hash: F7415171E006099FDF70CEE9D880AAFF7F2FB85314F10492AE216D7650D772A9458B92

Function 068E20B7 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad29782e86fe62aeebc479aba1d66aa12fdf24f41c53f87eff589337dfc66d8
Instruction ID: 632c27a1c3794f52c1659252c286c65aa9e13c7078a54052948381b20d178a9d
Opcode Fuzzy Hash: 1ad29782e86fe62aeebc479aba1d66aa12fdf24f41c53f87eff589337dfc66d8
Instruction Fuzzy Hash: BD317234E102099BCB04CFA4D96569EBBF6FF8A300F108529E916E7754DB71BD42CB50

Function 068E20C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76da9f7d46ce59ea0a99f79806658cb9054683b2e35ee9ac341fa1911b3dbe71
Instruction ID: f1d5ccc5a9a46c8dd86096e59dc9bf5eb56f34f705b9a056b32f8895b735a147
Opcode Fuzzy Hash: 76da9f7d46ce59ea0a99f79806658cb9054683b2e35ee9ac341fa1911b3dbe71
Instruction Fuzzy Hash: 03316434E102099BCB54CFA4D85469EBBF6FF8A300F108529E915E7754DB71BD42CB50

Function 068E3AE9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd8c3b7350cca42280ff7d7bef9d41abd486f7f386267a1f1808dab273c4c20
Instruction ID: d9d2bf1bd6af0093ecb1fa027cb0c1892b3b56d2d041ec8f9d80ea4c8348360c
Opcode Fuzzy Hash: 3bd8c3b7350cca42280ff7d7bef9d41abd486f7f386267a1f1808dab273c4c20
Instruction Fuzzy Hash: 0F218B75F106199FEB51DFA9D980AAEBBF5EB89310F108069EA45E7340E730DD01CB90

Function 068E3AF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d774cac02b6e9454afdfe64c5449fccfcef955d6a44c591e37f3cc3f4f6d40
Instruction ID: 27ca4e3d61f6518549d71c5f411ffc45e9872c3213d82260caf1783040e61900
Opcode Fuzzy Hash: a6d774cac02b6e9454afdfe64c5449fccfcef955d6a44c591e37f3cc3f4f6d40
Instruction Fuzzy Hash: 65217A75F106199FEB50DF69D980AAEB7F5EB88710F108069EA0AE7384E730DD41CB90

Function 068E5058 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81cdb3557e67dfb14f5394c27b3620aaecb7be315d226eaa489583c7458d735
Instruction ID: 0f0cccf4c95ce2f9f5d2ee77cadcacd38cd8013878bf110425d92c2ffee7320f
Opcode Fuzzy Hash: b81cdb3557e67dfb14f5394c27b3620aaecb7be315d226eaa489583c7458d735
Instruction Fuzzy Hash: 07219031A006099FCF64CEE9C8C5AAFFBB2FB85308F104929E115D7654D772A945CB82

Function 011FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743285357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11fd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73b8543b0b2ab517a65ed28abc22d0a9e8eb3503c46cf6c5f3c2cec8ba41ca
Instruction ID: 6241084c9ec28a5768366c5d7ae381d3b12539d2e8a74c98ad98cf30c3425fcd
Opcode Fuzzy Hash: db73b8543b0b2ab517a65ed28abc22d0a9e8eb3503c46cf6c5f3c2cec8ba41ca
Instruction Fuzzy Hash: 2B21F271604204DFDF19DF98E980B26BBA5EB84314F24C5ADEA094B296C37AD447CA62

Function 011FD118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743285357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11fd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abd66cc2f945619954bd18660b08f145437638a27b78d08d509a28c72f71451
Instruction ID: 59e7d6b60c54ee4485e0c55746533005470aeca8626fe27cf46a7130ce28ca94
Opcode Fuzzy Hash: 9abd66cc2f945619954bd18660b08f145437638a27b78d08d509a28c72f71451
Instruction Fuzzy Hash: D221D4B1648244DFDF09DF58E9C0B26BF65FB84314F24C66DEA094B256C336D846C662

Function 011FD006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743285357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11fd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cce7591a786eab44b139de56985050bc87292868ef4013571e5d7542ca797fc
Instruction ID: 80a72881e21c7d6530cd45705bdca2a63561d9f520acbecb4dacf0c6a2ab40af
Opcode Fuzzy Hash: 2cce7591a786eab44b139de56985050bc87292868ef4013571e5d7542ca797fc
Instruction Fuzzy Hash: D2217A315093C08FCB07CB64D890715BF71AB46214F29C1EBD9898F2A3C33A980ACB62

Function 068E30A8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3544e3b0fffc74ba9822f88a92040b970bb062eef7c7d7eafaff14b2d0933471
Instruction ID: c38971a100f319c9431527549c9dbb927ceac558628a65203251daae48904428
Opcode Fuzzy Hash: 3544e3b0fffc74ba9822f88a92040b970bb062eef7c7d7eafaff14b2d0933471
Instruction Fuzzy Hash: F111D335E002199BCB58DBA8C8406EEF7F5EB8A314F108579E509EB204DA31DD41CB91

Function 068E3C08 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ecbb8baaedf29fc74b0020680a5b02006df23d4ac20a2e6696f9678f3f5c24
Instruction ID: 32f025ec53e347705d1d5414d5f0b1e92735787ef086202e271a45bcf9051264
Opcode Fuzzy Hash: 40ecbb8baaedf29fc74b0020680a5b02006df23d4ac20a2e6696f9678f3f5c24
Instruction Fuzzy Hash: 8411E136B100289BDF54A678E8106AE73EAABC9311F008439D50AE7344EE74DC028BE1

Function 068EEDF1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97031614e7979b8f83ce757b150a7c61bbd982da92415835a2bf801353ad4952
Instruction ID: 3b02fce2fe59913d90eebe1e2686e4c33c43e9c6ff0312decc7b543f3e997bdc
Opcode Fuzzy Hash: 97031614e7979b8f83ce757b150a7c61bbd982da92415835a2bf801353ad4952
Instruction Fuzzy Hash: E201B1357109060BCB659A7898A872E7BD6DBCB720F158429F60ACB355ED25EC024395

Function 068E3E3F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbafad0f852a130ece7994c1273d56d029a289925b40bd926a1c6b9c46bbd5ba
Instruction ID: 48834ade7c94cfb481f256aa0797865e23cbb164efbf3b7f83a988edf94a9cbe
Opcode Fuzzy Hash: bbafad0f852a130ece7994c1273d56d029a289925b40bd926a1c6b9c46bbd5ba
Instruction Fuzzy Hash: A0012F38B104021BCB28D67D9495B2FABDADBC6724F10843EF60ACB795EE25DC024394

Function 068E38C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bf7abc870ebe66c5b7080392ede01624b1482ce5ec3c2addec84149c200fcf
Instruction ID: d63e1eb99759944272122b7bb07ff082b0855e6a52cb26e30a6d986ca705b9d1
Opcode Fuzzy Hash: f5bf7abc870ebe66c5b7080392ede01624b1482ce5ec3c2addec84149c200fcf
Instruction Fuzzy Hash: 7521D6B1D01259AFCB00DF9AD884ADEFFB8FB49320F10821AE518B7240D3756944CFA5

Function 068E3BF9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c564c5b89bd43fd0ca01adf1717ba68261470cc47dba2d8185045bbe1b2c9fc6
Instruction ID: c7859e4a3f77d00879d8bbf5b157fd3e7f2a27b66f1a426609a017c87ac69012
Opcode Fuzzy Hash: c564c5b89bd43fd0ca01adf1717ba68261470cc47dba2d8185045bbe1b2c9fc6
Instruction Fuzzy Hash: 5301A735B100245BEF549A79DC146EF77EA9BC9710F104539D956E7344EE60CD0287E1

Function 011FD113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3743285357.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11fd000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5867ea3066c8d66ae14a7e2e82bc980888112c1538e9e79c62cad117a2215a17
Instruction ID: b24604dce2311eeedd63c3a2bb1631d03356218c94b828c600e3fd578b92d1dd
Opcode Fuzzy Hash: 5867ea3066c8d66ae14a7e2e82bc980888112c1538e9e79c62cad117a2215a17
Instruction Fuzzy Hash: D811BF75508284CFDB0ACF54D9C4B25BFB2FB84318F28C6ADD9494B656C33AD44ACB51

Function 068E38C8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ed28f482c70a069f3cd9dbbe677ac4ea1ee26197f3f4f5a67fbf878f405408
Instruction ID: 79cc973dfb67f1df3a2312d3abcb2cab77ad81b9a770cf9c90043a6985f4a062
Opcode Fuzzy Hash: 06ed28f482c70a069f3cd9dbbe677ac4ea1ee26197f3f4f5a67fbf878f405408
Instruction Fuzzy Hash: 9311D0B1D01259AFCB00DF9AD884ADEFFB8FB49310F10812AE918B7200D375A944CFA5

Function 068E3E50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8aaa02a28cb8c9a4a2939cb04f42fe7f097cbdeff425fcfbe53145abcae55c
Instruction ID: 024a96a04056c5334961fdbf3ff5628ae65ec01d405e7e0995ab84daaee6198e
Opcode Fuzzy Hash: bb8aaa02a28cb8c9a4a2939cb04f42fe7f097cbdeff425fcfbe53145abcae55c
Instruction Fuzzy Hash: 03012134B104120BCB28D57C9451B2FA3DADBCA724F108439F20ECB794EE65EC020394

Function 068E9F50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f333fbb7deef182f296ab37c442d769620cae44df83d1a53be7bd85b8af8918c
Instruction ID: 95e9a53297265d85580a3d0fdf26a8aa02b40bffc217a6f8b44ee7f1548adf81
Opcode Fuzzy Hash: f333fbb7deef182f296ab37c442d769620cae44df83d1a53be7bd85b8af8918c
Instruction Fuzzy Hash: 3D012834B101400FDBA5DE78E55076E7BE5EB46314F144429F289CF365EA64DC01C781

Function 068EEE00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a339004e4d92c85bfae27ec9f50a77284404ffac4e29950a7c13bbc63f4daa63
Instruction ID: d0b947d1374d15f75c082f1ff5c2711d3cae7bf55c27608de8218eba9fe052ec
Opcode Fuzzy Hash: a339004e4d92c85bfae27ec9f50a77284404ffac4e29950a7c13bbc63f4daa63
Instruction Fuzzy Hash: 2301A435B108160BCB65D97CD499B2F77DADBCA720F108439F60ACB354EE25EC024795

Function 068E9F60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6667dc649f30044ee5a38721da80d771e42b5efbeb0beecc5c0bd38e90d1a94d
Instruction ID: c8d5888e02006ed4007087368343ce95e65c2bbc3e1011ad506fe6d5597ad36e
Opcode Fuzzy Hash: 6667dc649f30044ee5a38721da80d771e42b5efbeb0beecc5c0bd38e90d1a94d
Instruction Fuzzy Hash: 0301A434B105154BDB64DA7CF550B6EB7D9EB8A724F108438F60ACB354EEA9EC4187C0

Function 068E60B9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1274bc229b73093ebf7988447a36796c3f0f0f69292efb80b57bbb8c639c11
Instruction ID: cab56f0438e88e0980bec256b6d1d972427baa63c6b02555375b4ed080ac89f9
Opcode Fuzzy Hash: ff1274bc229b73093ebf7988447a36796c3f0f0f69292efb80b57bbb8c639c11
Instruction Fuzzy Hash: D1E0DF71E1422CABEF50CAB1894835E77A9DB83314F218AA6EA04E7241F177C9418B81

Function 068E60C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defcd98296a07231a5b4897097714763c583b603e83f85b61719a5b9efdd0c69
Instruction ID: e2babdd8614594618481b84989f9a4ae581e5f10835dd778a1b32f24f101ce61
Opcode Fuzzy Hash: defcd98296a07231a5b4897097714763c583b603e83f85b61719a5b9efdd0c69
Instruction Fuzzy Hash: 93E01271E1412CABDF50DEB4C94575EB7ADE753214F2085A5D608E7241F177DA418780

Non-executed Functions

Function 068E72E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$_q, xrefs: 068E77B0
$_q, xrefs: 068E73FF
$_q, xrefs: 068E785B
$_q, xrefs: 068E7430
$_q, xrefs: 068E7424
$_q, xrefs: 068E73F3
$_q, xrefs: 068E77BC
$_q, xrefs: 068E7865
$_q, xrefs: 068E7871
$_q, xrefs: 068E784F

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-698649689
Opcode ID: ca483e0d549476d72327bddb0d09b8190f6a001962741d0ecd43123ac4e25f05
Instruction ID: 612c9c59a5527b10891b85dbf7bd3f4f176230e029e6d25a93744c5637146018
Opcode Fuzzy Hash: ca483e0d549476d72327bddb0d09b8190f6a001962741d0ecd43123ac4e25f05
Instruction Fuzzy Hash: EB121A30E002198FDB68DF65C994AADB7F6BF89304F208969D509EB364EB309D45CF81

Function 068EA580 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$_q, xrefs: 068EA676
$_q, xrefs: 068EA708
$_q, xrefs: 068EA6D1
$_q, xrefs: 068EA6FC
$_q, xrefs: 068EA732
$_q, xrefs: 068EA682
$_q, xrefs: 068EA73E
$_q, xrefs: 068EA6DD

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: 4befe67c69cb0633fbc54d41cdd04f02079d30730dc0ab723397164f1e1c8f89
Instruction ID: 2af57711f36b21159637ccf5815fbfadf51ef012f174e3a64470d6ad4b271a5d
Opcode Fuzzy Hash: 4befe67c69cb0633fbc54d41cdd04f02079d30730dc0ab723397164f1e1c8f89
Instruction Fuzzy Hash: F1917030E10209DFEBACDB64D984B6E7BF6AF85B04F108529E501EB258DB74D845CB90

Function 068E6CE8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$_q, xrefs: 068E7184
.5wq, xrefs: 068E6D43
$_q, xrefs: 068E6FCA
$_q, xrefs: 068E7024
$_q, xrefs: 068E71F0
$_q, xrefs: 068E71FC
$_q, xrefs: 068E7030

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-3129995876
Opcode ID: 37e3d1798abbe836fe4f03bf7bf345deb24f2e5577f89661df6ba8be03ce052f
Instruction ID: 367dd36c978495a9f381f3e6e301a974816ad6d1305473f95e4e8cb00efb5476
Opcode Fuzzy Hash: 37e3d1798abbe836fe4f03bf7bf345deb24f2e5577f89661df6ba8be03ce052f
Instruction Fuzzy Hash: 2BF15F30B10209DFDB99EFA4C554A6EB7B7BF89304F208568D416DB399DB35AC42CB50

Function 068EBA58 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$_q, xrefs: 068EBBF1
$_q, xrefs: 068EBC59
$_q, xrefs: 068EBBFD
$_q, xrefs: 068EBC65
$_q, xrefs: 068EBC31
$_q, xrefs: 068EBC25

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: 98de76716f8b53e492f29a990f5253202eedeb6c22449d17cd545e1c864d0c1f
Instruction ID: ba7f7ba5dd4412abe41f8ff47a37122a982cb73f04a805176665599df5d17cdd
Opcode Fuzzy Hash: 98de76716f8b53e492f29a990f5253202eedeb6c22449d17cd545e1c864d0c1f
Instruction Fuzzy Hash: 25718F30F1420A8FDB58CFA8D68466DB7F6FF86704F104869D506EB254DB71E945CB81

Function 068E8018 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$_q, xrefs: 068E827E
$_q, xrefs: 068E82E3
$_q, xrefs: 068E8272
$_q, xrefs: 068E82D7

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: c3743195a4e90197c80aa697088939cb6ce9bdc6a25f4954e6ecd4cbe175a5a2
Instruction ID: a4082bb45e2f2dd42a4c959b69ebe490301adb74b326359c141f0ba42c1397ca
Opcode Fuzzy Hash: c3743195a4e90197c80aa697088939cb6ce9bdc6a25f4954e6ecd4cbe175a5a2
Instruction Fuzzy Hash: E5B16B70E10209CFDBA8EBA8C5846AEB7B2FF89304F248469D505DB359DB75DC46CB90

Function 068E8430 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$_q, xrefs: 068E84BB
LR_q, xrefs: 068E8523
$_q, xrefs: 068E84AF
LR_q, xrefs: 068E8572

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: LR_q$LR_q$$_q$$_q
API String ID: 0-2912794808
Opcode ID: 148b2ff2a65435198687d94fefbe012e9588a996b6bd37a2d9ef03b9ba8536fc
Instruction ID: 3f89bec26817e273794cd7c050918a06aed499c8454bc97d8d0b47c79ba09361
Opcode Fuzzy Hash: 148b2ff2a65435198687d94fefbe012e9588a996b6bd37a2d9ef03b9ba8536fc
Instruction Fuzzy Hash: 555108707102069FDB68DB64D945A6E77F6FF89308F148569E516DB3A9DB30EC00CB90

Function 068EA902 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$_q, xrefs: 068EAA84
$_q, xrefs: 068EAA31
$_q, xrefs: 068EAAB3
$_q, xrefs: 068EAADC

Memory Dump Source

Source File: 00000004.00000002.3759126734.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_68e0000_HBL BLJ2T2411809005 & DAJKT2411000812.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: fb6cd582cbab510cf30e3a4b70a39b2df9cc09c29fec69a8ede3e2fdfab41d0d
Instruction ID: eb9348ae301b674ff4d10eca2c1fb13b1483978c9a3aa44ebef772f764909b34
Opcode Fuzzy Hash: fb6cd582cbab510cf30e3a4b70a39b2df9cc09c29fec69a8ede3e2fdfab41d0d
Instruction Fuzzy Hash: C551DF30E102098FDFA9EB64D6806AEB7B6FF8AB04F11852AD515EB355DB31DC41CB90

Analysis Process: adobe.exePID: 7596, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	208
Total number of Limit Nodes:	15

Executed Functions

Function 0072D349 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0072D3D6
GetCurrentThread.KERNEL32 ref: 0072D413
GetCurrentProcess.KERNEL32 ref: 0072D450
GetCurrentThreadId.KERNEL32 ref: 0072D4A9

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa112f42d5d197e02bdb277b22cd78cac3b429b4637ebfc96971fce56fc9b1be
Instruction ID: 4414b7a072dcefdb41ae699cef45915af80d99b86c214ca8b891c9016e5bc1d5
Opcode Fuzzy Hash: aa112f42d5d197e02bdb277b22cd78cac3b429b4637ebfc96971fce56fc9b1be
Instruction Fuzzy Hash: 7B5167B09003499FDB54DFA9D548B9EBBF1EF48314F208069E409B73A1DB74A944CF65

Function 0072D358 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0072D3D6
GetCurrentThread.KERNEL32 ref: 0072D413
GetCurrentProcess.KERNEL32 ref: 0072D450
GetCurrentThreadId.KERNEL32 ref: 0072D4A9

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2f71640b43fd50a3eeed2fda62e9fc5f6e4939652122096da4eb5603f52b6922
Instruction ID: 8d852183eef9d5873f76f89cde1014d320e922af6a52de8b17ad509fc85d330c
Opcode Fuzzy Hash: 2f71640b43fd50a3eeed2fda62e9fc5f6e4939652122096da4eb5603f52b6922
Instruction Fuzzy Hash: FB5157B09003499FDB54DFA9D548B9EBBF1EF48314F208069E409B73A0DB746944CF65

Function 0072B0D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0072B326

Strings

XOi, xrefs: 0072B283
XOi, xrefs: 0072B25E

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: HandleModule
String ID: XOi$XOi
API String ID: 4139908857-3909752956
Opcode ID: 84f0fd9c663cc5c3b3e88e4552eb27d08613fd08751ea341dd52550a7abf0404
Instruction ID: 67813691b3f3e9cb977513afb5ab617bcb4dc5a9cf51ce48ac62bf214cb0b1a0
Opcode Fuzzy Hash: 84f0fd9c663cc5c3b3e88e4552eb27d08613fd08751ea341dd52550a7abf0404
Instruction Fuzzy Hash: 6A715370A00B198FDB24DF29E55575ABBF1FF88300F10892DE48AD7A50DB38E949CB90

Function 024093AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02409440

Strings

W, xrefs: 024093AD

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: W
API String ID: 3559483778-655174618
Opcode ID: e32a40aa0f8c367b0502941956ab2fb674149f4a27b8b1ae43951982d4026be7
Instruction ID: 058e618aaf1480be6bb218fe426841d121ec10b07bf9e2ce16da175b30d79257
Opcode Fuzzy Hash: e32a40aa0f8c367b0502941956ab2fb674149f4a27b8b1ae43951982d4026be7
Instruction Fuzzy Hash: 9A2124B19002199FDB10DFA9C8857EEBBF1FF48314F10882AE959A7241C7789955CBA4

Function 024092EA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0240935E

Strings

W, xrefs: 024092ED

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID: W
API String ID: 4275171209-655174618
Opcode ID: a8cabd1f5ccfe68c7eba1cd26419bb82980b7e0d140f235444643b95b76d1034
Instruction ID: 49bca24892b4438495f3eb37316fa87426f14d3bc5c271b96edb465929727c69
Opcode Fuzzy Hash: a8cabd1f5ccfe68c7eba1cd26419bb82980b7e0d140f235444643b95b76d1034
Instruction Fuzzy Hash: 1D1156719002499FDB10DFA9C8456EFFBF5EF48324F14881AD519A7250C775A945CFA0

Function 0240962C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0240986E

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 53471cca8d47cd45e5891f7f163aa4a7f3dd6d17a0bda4e42c39850373f92ec0
Instruction ID: aa143e5e2ee9fdb2540e1109ac4985ae61a7f009380dd23d3ce763112258c669
Opcode Fuzzy Hash: 53471cca8d47cd45e5891f7f163aa4a7f3dd6d17a0bda4e42c39850373f92ec0
Instruction Fuzzy Hash: AEA19E71D00619CFEB14CF68C8817EEBBB2BF48714F1485AAD848A7391DB749985CF91

Function 02409638 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0240986E

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e4d1dcc7e1c9ab7e77886adb8f1f5c788886c0523affc4050ea19175c8f18623
Instruction ID: 15466c8bddd4b0da1a8a986ae137e5942075cc16465e0aca6e55d7773ba74d70
Opcode Fuzzy Hash: e4d1dcc7e1c9ab7e77886adb8f1f5c788886c0523affc4050ea19175c8f18623
Instruction Fuzzy Hash: 9C919D71D00619CFDB10CFA8C880BEEBBB2BF48714F0085AAD848A7391DB749985CF91

Function 02401CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02401E02

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d79cdd63df6e2375a2a984fb5889362cd3239126d07f9157a7392b27144b70dc
Instruction ID: 5c0154b7059ab394f88df6fdeba72333db92f09d0203f7e6a296361ade3ce26c
Opcode Fuzzy Hash: d79cdd63df6e2375a2a984fb5889362cd3239126d07f9157a7392b27144b70dc
Instruction Fuzzy Hash: CE51C2B1D003499FDB14CFA9C984ADEBFB1BF88314F64812AE419AB250D7759985CF90

Function 02401CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02401E02

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d15973c2b627b6f199afc36fe207042a8ae4c2814341fe5bc103090fb78b61d7
Instruction ID: f50da89e4e7db3e3174921623347e7361e4d63c28a1d5faaef79d285ebb0f9bb
Opcode Fuzzy Hash: d15973c2b627b6f199afc36fe207042a8ae4c2814341fe5bc103090fb78b61d7
Instruction Fuzzy Hash: 2541B2B1D003499FDB14CF99C984ADEBBB5FF48314F64812AE419AB250D7719985CF90

Function 0072590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 007259C9

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5b5b054c7fcef85ae98a4f58218cec79d670548d3a0c442e4025adf6baa2cd44
Instruction ID: fc02dcf6b138c4e3f044d9068c969049fac9d4ca521585b71795aba1712c99c8
Opcode Fuzzy Hash: 5b5b054c7fcef85ae98a4f58218cec79d670548d3a0c442e4025adf6baa2cd44
Instruction Fuzzy Hash: DB410FB0C00629CFDB24CFA9C884B8DBBF5FF48304F60816AD048AB255DB75698ACF50

Function 02400BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02404381

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d5fd5a1ebf9a62e53bf8e71f2893290e78a733877814aedffaacd4c297263f36
Instruction ID: a181c3ee319dba900a7cd2f62f9b4fa1adab8b96575215dcc83ac0974b8a5750
Opcode Fuzzy Hash: d5fd5a1ebf9a62e53bf8e71f2893290e78a733877814aedffaacd4c297263f36
Instruction Fuzzy Hash: 46412CB5A00309DFCB14CF99C488A9EBBF5FB88314F248559D519A7361D774A881CFA0

Function 00724248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 007259C9

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba59c0d79dd196d43fd8286a21426a3d0a6aa7eb2ad9a09a29de8b6c4f2cb651
Instruction ID: e7d8719ec3fac3754dbaec720c4e58ca0a2606fafbffb7308e40819f1e482b19
Opcode Fuzzy Hash: ba59c0d79dd196d43fd8286a21426a3d0a6aa7eb2ad9a09a29de8b6c4f2cb651
Instruction Fuzzy Hash: 63410FB0C0062DCBDB24CFA9C884B8EBBF5FF48304F20806AD448AB255DB756985CF90

Function 024093B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02409440

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 71934536bcf934fed7d9aee01dad3a1149817629ff49d36c31168bf52148d308
Instruction ID: dc050c1cf9e93504ebdd8e57a2f2c077e777256db7aa20ca0b82e4dd61b1fcb9
Opcode Fuzzy Hash: 71934536bcf934fed7d9aee01dad3a1149817629ff49d36c31168bf52148d308
Instruction Fuzzy Hash: BE2136B1D003499FCB10DFAAC885BDEBBF5FF88314F10842AE919A7241C7789955CBA4

Function 02409212 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02409296

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3bb5c4699e92ee078140d4445c82fbb41497c43c16ec577b1687d3ea29510719
Instruction ID: 517821b374a85ff2c459e15ddf43cb104906270ea07d607d5b6a21e36a0463d4
Opcode Fuzzy Hash: 3bb5c4699e92ee078140d4445c82fbb41497c43c16ec577b1687d3ea29510719
Instruction Fuzzy Hash: 53214571D002098FDB10DFAAC485BEEBBF4AF88324F14882ED459A7241CB789945CFA0

Function 0240949A Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02409520

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d6fb387c5fdb11fca00955a4f87ddf3064e2f1a42173557492d7ce5c558075e6
Instruction ID: 8c1a8acc9cd4de9fca642f598f00b92510cee9dd09506eecd272cc729542cb25
Opcode Fuzzy Hash: d6fb387c5fdb11fca00955a4f87ddf3064e2f1a42173557492d7ce5c558075e6
Instruction Fuzzy Hash: 9E2136B1D002499FCB10DFAAD881AEEFBF1FF88310F14842EE519A7241C7759945CBA0

Function 0072D599 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0072D627

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 713a646c8effb48265fa85962e8d004111f51d6c7fd3653065c89a89f63cd363
Instruction ID: 60679e50cc0b2d64cb28ce32b169a6152e42eb958ddce5556a22c590e5efa8ff
Opcode Fuzzy Hash: 713a646c8effb48265fa85962e8d004111f51d6c7fd3653065c89a89f63cd363
Instruction Fuzzy Hash: A821E6B5D00248AFDB10CF9AD984ADEBBF4FB48310F14841AE918B3350D374A954CFA5

Function 02409218 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02409296

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0dc30d60dac232a7d6a2911aa5cdc87df738902647dc18229158c937a12d25cf
Instruction ID: 109f017c7bb3c9a47b175057462ce966abef1368c9d15a0296efadd2071341fc
Opcode Fuzzy Hash: 0dc30d60dac232a7d6a2911aa5cdc87df738902647dc18229158c937a12d25cf
Instruction Fuzzy Hash: EC213471D002098FDB10DFAAC4857EEBBF4AB88324F14842ED419A7241CB78A985CBA0

Function 024094A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02409520

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 08ebbfb917c3e97051d62e8eb0171c4af0c2db5b41bb119105f0cd68f7dd018a
Instruction ID: 9692f2d6470564f04ef643aefb39e34a97fb2b6cc5eecba0426c772c6396335f
Opcode Fuzzy Hash: 08ebbfb917c3e97051d62e8eb0171c4af0c2db5b41bb119105f0cd68f7dd018a
Instruction Fuzzy Hash: 952137B1D003499FCB10DFAAC881AEEFBF5FF48320F50842AE519A7240C7799945CBA0

Function 0072D5A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0072D627

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6198bd4ebf2991094acf352813761fa140311e744228c59d6796ba045837215
Instruction ID: deafacfb4a0a634b2c5ff2baadd75115d9e826c42a0b63f17fd165bd9053d96a
Opcode Fuzzy Hash: d6198bd4ebf2991094acf352813761fa140311e744228c59d6796ba045837215
Instruction Fuzzy Hash: 7821C4B5D00258AFDB10CFAAD584ADEBBF5EB48310F14841AE918B3350D378A954CFA5

Function 024092F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0240935E

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d60e3e599e1b7b73953bef3aa64b9ed5c91ad8915d19f63da2501ebe8cd1fb3a
Instruction ID: 1786a9e97c3f95855da9dbabb551edc199e1d996dc59f669071856f7a1ecd419
Opcode Fuzzy Hash: d60e3e599e1b7b73953bef3aa64b9ed5c91ad8915d19f63da2501ebe8cd1fb3a
Instruction Fuzzy Hash: 801149719002499FCB20DFAAC845ADFFFF5EF88324F10841AE519A7250C775A944CFA0

Function 02409160 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024091CA

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ae186f481e678088d8883cbd034ff814cc8061227d6e824fdf64666dd86fd876
Instruction ID: abebca821cc9371511da1faa59642dc5013055da4c80971c45a043e99517c44b
Opcode Fuzzy Hash: ae186f481e678088d8883cbd034ff814cc8061227d6e824fdf64666dd86fd876
Instruction Fuzzy Hash: A81149B1D042498FDB10DFAAC4457EFBBF5AB88324F24882AD019A7240C7759945CBA4

Function 02409168 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024091CA

Memory Dump Source

Source File: 0000000A.00000002.1411919375.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Offset: 02400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2400000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: da1005e6c9536748cb285845e176621d4329f80768666cfd4ae9c7a4b7763396
Instruction ID: 50c87f66c2fad7e8375d4d37c6fbb37c8ac3a0480e0c13c00638ba611f928e27
Opcode Fuzzy Hash: da1005e6c9536748cb285845e176621d4329f80768666cfd4ae9c7a4b7763396
Instruction Fuzzy Hash: 10113AB1D002498FDB20DFAAC4457DFFBF5EB88324F10882AD519B7240CB756945CBA4

Function 0072B2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0072B326

Memory Dump Source

Source File: 0000000A.00000002.1409450806.0000000000720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_720000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 014bf09b8fd64ba3e420929283faa821511f40f6fb16bfa273841ff9b3a62726
Instruction ID: 7529a544cf3b86214c1db0d4c38930eb1ad8434420ce75c686bdc3d40333705b
Opcode Fuzzy Hash: 014bf09b8fd64ba3e420929283faa821511f40f6fb16bfa273841ff9b3a62726
Instruction Fuzzy Hash: AD11CAB68003598BDB10DF9AD444A9EFBF4EB89320F10842AD829B7211D379A945CFA1

Function 0068D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1409219033.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737534fd97d7b9af96988897ab812c326b284e17e5974e82c1a335e6d71e2892
Instruction ID: b3d8b0a82eade82ed4ddc0501f6b35ce68e62c16aee24f69206212a428081762
Opcode Fuzzy Hash: 737534fd97d7b9af96988897ab812c326b284e17e5974e82c1a335e6d71e2892
Instruction Fuzzy Hash: 3C21F171504204DFCB05EF54D9D0B26BF66FB88310F20C6A9EA090B296C336D916CBB1

Function 0069D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1409264997.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01420208a3fc39f184685354dd7f08b1cb94c673255a0b8e71c1334a02faac7a
Instruction ID: a6ef7bd797bb18d36b6ee2aa3fcc5151b2e474eb6a9ac96f1883cc5fb20d2c70
Opcode Fuzzy Hash: 01420208a3fc39f184685354dd7f08b1cb94c673255a0b8e71c1334a02faac7a
Instruction Fuzzy Hash: 8021F275604204DFDF14DF28D984B26BB6AFB88314F20C579E84A4B796C33AD847CA61

Function 0069D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1409264997.000000000069D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0069D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_69d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bea43957b7025ebc58f5b7bd5e275b44123f084c96fa256b82b4658e9dcaad5
Instruction ID: aa4262846d198321cc4d9955b740f49e88e314b8bf2a8f32231a2a4263d274b4
Opcode Fuzzy Hash: 6bea43957b7025ebc58f5b7bd5e275b44123f084c96fa256b82b4658e9dcaad5
Instruction Fuzzy Hash: F6219F755083809FDB02CF14D994B11BFB6FB46314F25C5EAD8498F6A6C33AD80ACB62

Function 0068D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1409219033.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
Instruction ID: a51b19a63950f5cca7069b102dde799ecea0fc11bab74706ce26912be3fe0170
Opcode Fuzzy Hash: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
Instruction Fuzzy Hash: 3C21DF76404244CFCB06DF00D9C4B56BF72FB84310F24C2A9ED084B296C33AD92ACBA1

Analysis Process: adobe.exePID: 7640, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 06FC2788 Relevance: 9.0, Strings: 6, Instructions: 1489COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FC3BDC
$_q, xrefs: 06FC3BF4
$_q, xrefs: 06FC3BB3
$_q, xrefs: 06FC3BA7
$_q, xrefs: 06FC3BD0
$_q, xrefs: 06FC3C00

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: 5f56540eab94e2c61f09e77a76eeb1d772bf7b09f4f15a09b430b61aa291c7fb
Instruction ID: be7839da52f21b167ec583e4f11b0ad459795399290b3bfa7347274e468d69b9
Opcode Fuzzy Hash: 5f56540eab94e2c61f09e77a76eeb1d772bf7b09f4f15a09b430b61aa291c7fb
Instruction Fuzzy Hash: D8D24934E0060ACFDB64DB68C584A9DB7B2FF89314F54C5A9D409AB264EB35ED85CB80

Function 06FCB280 Relevance: 8.3, Strings: 6, Instructions: 767COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FCBBFD
$_q, xrefs: 06FCBC31
$_q, xrefs: 06FCBC59
$_q, xrefs: 06FCBBF1
$_q, xrefs: 06FCBC65
$_q, xrefs: 06FCBC25

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: d5928e942ae6a73a3c78b746c26bb3a3697ef7a4210543f2575cc92f7b930ce3
Instruction ID: 33b753308b18ef7d9ecba62574e941845614e7761db4d0b4a27a3fa62dfd4398
Opcode Fuzzy Hash: d5928e942ae6a73a3c78b746c26bb3a3697ef7a4210543f2575cc92f7b930ce3
Instruction Fuzzy Hash: FB527074E1020B8BDF64CF68D6917AEB7B6FB85320F208829E405DB395DA35DC45CB91

Function 06FC7DC8 Relevance: 3.0, Strings: 2, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06FC8105
$_q, xrefs: 06FC8111

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 89b928886235831d6f67945bbefd0fdbd503782ff7b92ec0a715457f338223f6
Instruction ID: 92921ee5c6d2a95c6ced97b08db47fe1bfb0dfe6690b9595a5103df213573d6c
Opcode Fuzzy Hash: 89b928886235831d6f67945bbefd0fdbd503782ff7b92ec0a715457f338223f6
Instruction Fuzzy Hash: 6F027B30F002068FDB54DB68DA946AEBBE2FF84364F148569D419DB394DB35EC46CB81

Function 06FC55E8 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06FC5939

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: ba3bda23d0e64552a93d0729311c6518c8a4a49e0bcc2e95b591b0e9ef194230
Instruction ID: 7b3609d7d7e6860c26100e69e3580158f6a90366a1829ad699316801dfbd315a
Opcode Fuzzy Hash: ba3bda23d0e64552a93d0729311c6518c8a4a49e0bcc2e95b591b0e9ef194230
Instruction Fuzzy Hash: EA22F475E0021A9FDF64CB64C6806AEBBB2FF85324F208469D449EB384DB35EC55CB91

Function 06FC6638 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8cb87665008f7477f03877390e21eab566d84891ee409cb4e83c377610ef43
Instruction ID: 8e987efac7405a0b005b3ccef4b0a9ef78a7ec2ff3b37d79ca8e089bdbfe7e26
Opcode Fuzzy Hash: ca8cb87665008f7477f03877390e21eab566d84891ee409cb4e83c377610ef43
Instruction Fuzzy Hash: 7F626A34E042068FDB54DB68D694AAEB7B2FF88324F148469E405EB394DB35EC46CB91

Function 06FCC1D8 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98b6d7714505bac31abdb146830da4ac5898440de78155c59123799bdb11a2c
Instruction ID: 6e254895bff5e1c60d15eefef3df28bffc24b093c93f79ab064341ba00581509
Opcode Fuzzy Hash: d98b6d7714505bac31abdb146830da4ac5898440de78155c59123799bdb11a2c
Instruction Fuzzy Hash: 34327274E002068FDF54DB68DA90BAEB7B6FB88324F108529E409E7355DB35EC45CB91

Function 06FCAD18 Relevance: 10.4, Strings: 8, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06FCAEC7
$_q, xrefs: 06FCAE8C
$_q, xrefs: 06FCAE39
$_q, xrefs: 06FCAE45
$_q, xrefs: 06FCAEF0
$_q, xrefs: 06FCAEBB
$_q, xrefs: 06FCAE98
$_q, xrefs: 06FCAEE4

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: 5aeb9d067278499b93f0f80de6c1e3bfbf988e93c0328add762b2c606e2823b9
Instruction ID: 0b5756b44ccfb6f45f6a6578790a096e1c6f186e53a113383bc9344efae48fe6
Opcode Fuzzy Hash: 5aeb9d067278499b93f0f80de6c1e3bfbf988e93c0328add762b2c606e2823b9
Instruction Fuzzy Hash: 7DE16D30E1020A8FDF59DB69D6906AEB7B6FF84314F108529E405EB354EB35EC46CB91

Function 06FC9198 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06FC921A
$_q, xrefs: 06FC91EB
$_q, xrefs: 06FC91DF
$_q, xrefs: 06FC9226

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: abf3f44b057cf24323fa312d0f37576aa0cd0d60e86bcd86753d95a5cb61d35c
Instruction ID: 09640668830303cbac14d1a8536fd2f652dd5debc10324b8c7282e3df0246b1e
Opcode Fuzzy Hash: abf3f44b057cf24323fa312d0f37576aa0cd0d60e86bcd86753d95a5cb61d35c
Instruction Fuzzy Hash: B9912A70F0021A9BDB54DF64D9507AEB7F6FB88310F10856AC809EB358EA749D468B91

Function 06FCCFA0 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06FCD3AB
$_q, xrefs: 06FCD39F
$_q, xrefs: 06FCD397

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q
API String ID: 0-2441406858
Opcode ID: ea6c3d8e06ee61fcda708f389025b6d3717a9883936d01c2b3ab52de51423dae
Instruction ID: 70b3ef4d46af4231edb15a9fd37f2aa6545f89849506f1f80b07e74da8a9234a
Opcode Fuzzy Hash: ea6c3d8e06ee61fcda708f389025b6d3717a9883936d01c2b3ab52de51423dae
Instruction Fuzzy Hash: EF622C30A0060B9FCB55DB78D691A5EB7A2FF84314B208A69D005DF369DB75FC4ACB81

Function 06FC4BB0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Odq, xrefs: 06FC4D8B
fdq, xrefs: 06FC4BDB
XPdq, xrefs: 06FC4D01

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: fdq$XPdq$\Odq
API String ID: 0-727959394
Opcode ID: e042ee0f41b4a1fbf636da902e6ad1f7a57c686c9ea00d4d9959856cf8148ef5
Instruction ID: 20f618c9599d139ca9ec945940f3235fd17552bfb23514e0acdb2f80467b9a91
Opcode Fuzzy Hash: e042ee0f41b4a1fbf636da902e6ad1f7a57c686c9ea00d4d9959856cf8148ef5
Instruction Fuzzy Hash: 14618E70F0021A9FEF549FB5C9547AEBAF6FB88310F208429E10AEB395DB754C058B91

Function 06FC9188 Relevance: 2.7, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06FC921A
$_q, xrefs: 06FC91DF

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: bc2c7566c8be52602da534502ec2f0b4277cf6c62e123edb4ca6a11cf329d888
Instruction ID: 02121b1ede07c310e2366c42f2652afa65d785d81377f96f537dc92ca2ac5fe4
Opcode Fuzzy Hash: bc2c7566c8be52602da534502ec2f0b4277cf6c62e123edb4ca6a11cf329d888
Instruction Fuzzy Hash: 47511A70B002069FDB54DF74D9A1BAE73FAEB88710F10856AC409DB798EA749C46CB91

Function 06FC4BA0 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fdq, xrefs: 06FC4BDB
XPdq, xrefs: 06FC4D01

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: fdq$XPdq
API String ID: 0-3173836435
Opcode ID: 76988b8f66e51a48e21581f4629bd8617babe6bd99be6e75402ef2863363178e
Instruction ID: cc7f654238c8dab758ee12a2a39cee0ab72f27a16bcb829e19dfd7033c779745
Opcode Fuzzy Hash: 76988b8f66e51a48e21581f4629bd8617babe6bd99be6e75402ef2863363178e
Instruction Fuzzy Hash: 30516D74F002199BEF549FA5C854BAEBAF6FB88700F208529E106EB395DB758C058B91

Function 01D4EDF0 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 01D4EE8F

Memory Dump Source

Source File: 0000000C.00000002.1496746831.0000000001D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d40000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 103f9b1200d2590b9e01e05f50584d0635eb23935f3b386173dfe5fe951acad0
Instruction ID: fae582cb73df0907ebb7b51774ef93ae6d825ab7ef5abb5af3cc81caa18fb2ef
Opcode Fuzzy Hash: 103f9b1200d2590b9e01e05f50584d0635eb23935f3b386173dfe5fe951acad0
Instruction Fuzzy Hash: 6C2152B1C0426A9FDB14DFAAD4447EEBBF4AF48310F11856AD818B7240E778A9458BA1

Function 01D4EE28 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 01D4EE8F

Memory Dump Source

Source File: 0000000C.00000002.1496746831.0000000001D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 01D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d40000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 02590a4faa38eb010e27f55d0bbfdf0cf4bc0390a158e9ec271355214ac0dcae
Instruction ID: e185e51e5851c5c833e69c65a44aa22e83e3f818fba6e8495be2cc8ea4371446
Opcode Fuzzy Hash: 02590a4faa38eb010e27f55d0bbfdf0cf4bc0390a158e9ec271355214ac0dcae
Instruction Fuzzy Hash: 6611EFB5C00659ABDB10DFAAC544ADEFBF4BB48320F15816AD818B7240D379A944CFA5

Function 06FCDB15 Relevance: 1.4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 06FCDC71

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 1a4d541f564c55c994aeb2323e299223a1a34ba6725aad946a60a3a272028809
Instruction ID: 81d1f8b22672ed043062f64e6e1bac5ecaf33772524abd9e4ab8605e7d99e390
Opcode Fuzzy Hash: 1a4d541f564c55c994aeb2323e299223a1a34ba6725aad946a60a3a272028809
Instruction Fuzzy Hash: CA41A070E0060A9FDB64DF65C99069EBBB2FF85310F14893DE805E7254EB70E846CB91

Function 06FCDB28 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH_q, xrefs: 06FCDC71

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 9bb2af32b94380365b190e3c0f79a1d6474b0584c45ce1546a33432df447bd19
Instruction ID: b61cbd79ff07ab8e5ce6837691b83d49205581e1fe1518b225243aea3d0d2681
Opcode Fuzzy Hash: 9bb2af32b94380365b190e3c0f79a1d6474b0584c45ce1546a33432df447bd19
Instruction Fuzzy Hash: 3D417D70E0060A9FDB64DF65C5946AEBBB2FF85310F10893DE405EB254EB70E846CB91

Function 06FC21ED Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH_q, xrefs: 06FC233B

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 465ee07898f97c1caeff3fb8df6a7296438c8e255056e22ffdc34d7565c94b8b
Instruction ID: 2741233a988316720319232918373639cdeb85c061996d0657700dd5ba0fa9dc
Opcode Fuzzy Hash: 465ee07898f97c1caeff3fb8df6a7296438c8e255056e22ffdc34d7565c94b8b
Instruction Fuzzy Hash: FE319031B002028FEB599B74D2656AE77B2FB88320F14856CD406DB394EF39DE06CB91

Function 06FC2200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH_q, xrefs: 06FC233B

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 75a691bc576f0dc09384b3b93f1bea22e44d7ad43efcb31231d16f0bc4efbe0a
Instruction ID: 3d22d37062845f970d9179cd856d9eb049b9569895b0d34e1be62a4bb6d2f3b8
Opcode Fuzzy Hash: 75a691bc576f0dc09384b3b93f1bea22e44d7ad43efcb31231d16f0bc4efbe0a
Instruction Fuzzy Hash: 01319030B002068FEB589B74D66466F7AE6EB88320F10842CD406DB394EF35DE06C791

Function 06FC80C0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FC8105

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q
API String ID: 0-238743419
Opcode ID: abaf8413d42b9545e5f8b11983aef16f00860e6ddcae6757bf698e063a436df1
Instruction ID: cc3d7629210579080e1c80cae9464bc2d9facd3b86cdad29a3ebaef6912f3f5f
Opcode Fuzzy Hash: abaf8413d42b9545e5f8b11983aef16f00860e6ddcae6757bf698e063a436df1
Instruction Fuzzy Hash: B901D132E002199FDB648E69DA456AABFF9FB803B0F04046ED925E32A0D7709945C790

Function 06FC4A99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Odq, xrefs: 06FC4AA5

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: \Odq
API String ID: 0-4257893106
Opcode ID: 8e000a7d8c1b591305d99aecc69d08e6e800ca5216de3ddeafe2d911cd23e65f
Instruction ID: 44e9f827c09a6b57718ca85d6741ee1daa721ab3f884a9617c4359a36ed3145e
Opcode Fuzzy Hash: 8e000a7d8c1b591305d99aecc69d08e6e800ca5216de3ddeafe2d911cd23e65f
Instruction Fuzzy Hash: 99F0FE70E2012ADFDB54DF94E9A9BAE7BB2FF84715F204129E402A7294CB715C01CB80

Function 06FCB26F Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fed3d3fbb3a836288b6a998dd2f0ebe78c201b93550d46da37e672fc7abd0c
Instruction ID: 172a04fcb7d935849a6c0d1c9f969231702287ed05a151c06c4810bb67b2a6e1
Opcode Fuzzy Hash: e9fed3d3fbb3a836288b6a998dd2f0ebe78c201b93550d46da37e672fc7abd0c
Instruction Fuzzy Hash: A0A19874F0020A9BEF64CA6CD6917AE76F6FB89320F20482DE405DB395DA35DC458B52

Function 06FC6230 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1201ab70c9ce3105357e1062faaa67b8a83cafeb69c66f6063313f501851787b
Instruction ID: 21281fdb53569b8e911d914afe01c5f1844409389ec44aef53125e14d2d44f85
Opcode Fuzzy Hash: 1201ab70c9ce3105357e1062faaa67b8a83cafeb69c66f6063313f501851787b
Instruction Fuzzy Hash: 9C6192B1F401224FDF549A7EC8906AFBAD7AFD4224B154439E80EDB364DE65DD0287C2

Function 06FC42E1 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c8919ca28eb873bbbd922335a076c6c27ffbc62852c48609aec0be905bb817
Instruction ID: de30f030b2934d9de15ed66f6ddd450df19b2e63618090532ff85ef0ec859726
Opcode Fuzzy Hash: 81c8919ca28eb873bbbd922335a076c6c27ffbc62852c48609aec0be905bb817
Instruction Fuzzy Hash: 25814C70F1020A8BDF54DFA9D5A079EB7F6BB85314F108528E40ADB394EB74DC468B91

Function 06FC42F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdcbee14838ec0102f6de5a1c97ad9fec46834e8a152f291e60cb2addec171a
Instruction ID: f7998607ddb8edcc0c57fb945862a7d4c03272640949ba1a372c09b04e3ca829
Opcode Fuzzy Hash: 5cdcbee14838ec0102f6de5a1c97ad9fec46834e8a152f291e60cb2addec171a
Instruction Fuzzy Hash: 28813C70F1020A8BDF44DFA9D5606AEB7F6AF89314F108429E40ADB394EB74DC468B91

Function 06FC4600 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68728aa1e08e1796337460dd76ca08aa9b334c76d3c92266bbb26f360d8193fe
Instruction ID: d20ba4c8135d005cfca27af66357af3883fcd67598e7f1e996078cabb085d47e
Opcode Fuzzy Hash: 68728aa1e08e1796337460dd76ca08aa9b334c76d3c92266bbb26f360d8193fe
Instruction Fuzzy Hash: 20916E30E0061A8FDF60CF64C990B9DB7B1FF89310F208699D449BB295DB70AA85CF91

Function 06FC4618 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d2ed4d0349cebce5183b0bf28d32e461d1b3e48cc4b4bd30894141568d769d
Instruction ID: 105a1d387aa520a6caf929c3c820ca221bef54d4c0342e0065564ae45971e9b0
Opcode Fuzzy Hash: e2d2ed4d0349cebce5183b0bf28d32e461d1b3e48cc4b4bd30894141568d769d
Instruction Fuzzy Hash: 5E915E30E1061A8BDF60DF68C990B9DB7B1FF89310F208599D44DBB294DB70AA85CF91

Function 06FCEF88 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dd819dee8f0093edbbe281be9e54e2758e4d9a7276f940003151590d3276cf
Instruction ID: 1bb9ff2901b69b51ff22e146b4bc133c2523e762726e40622d3c77f2884e45cd
Opcode Fuzzy Hash: f6dd819dee8f0093edbbe281be9e54e2758e4d9a7276f940003151590d3276cf
Instruction Fuzzy Hash: CF711970E0120A9FDB54DBA9DA90AADFBF6FF84310F248469E005EB254DB30ED46CB51

Function 06FCEF78 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1728f8e43f0deefb991b841286b2c68e4b29adb6f84bb642836e600f7c182269
Instruction ID: 28ad88aaa26984e6e4b245ee2c5a7524f03f41e3df78bc4212c646e652bec7c4
Opcode Fuzzy Hash: 1728f8e43f0deefb991b841286b2c68e4b29adb6f84bb642836e600f7c182269
Instruction Fuzzy Hash: 80713B70E0120A9FDB54DBA8DA90AADFBF6FF84310F248469D015EB254DB30ED46CB51

Function 06FCF9C1 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9464dcb2e0647a55ef8d26d16b3bf56f2ffdbcca5a201f6d11c41649c7acba1b
Instruction ID: 6774c756d032871e34fcc8bad056d72d36a42edb6897514ce7df938d70c9aacb
Opcode Fuzzy Hash: 9464dcb2e0647a55ef8d26d16b3bf56f2ffdbcca5a201f6d11c41649c7acba1b
Instruction Fuzzy Hash: 7551EB70F112179BEF64566CD95477F6A5BEBC9320F20482EF40AC73A8CA29CC4597A3

Function 06FCFC20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac901cdbf8d41b8f84e34c060cfc1dde22b29928253c2ad16cfa1d13db34c5cd
Instruction ID: d60b277f689aa63a5df3cf76ab55faf6b3fd6065c9e578a3514c80c3d69dd442
Opcode Fuzzy Hash: ac901cdbf8d41b8f84e34c060cfc1dde22b29928253c2ad16cfa1d13db34c5cd
Instruction Fuzzy Hash: 4251CE31E0110A9FDF64EB68E5846ADFBB3FF84325F208869E106D7250DB359945CB81

Function 06FCF9D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359f6a08ad9329e96712bb717ba99a1b12a3a194eff4dffcc3f17e34ae997bd3
Instruction ID: fe9c8773bc6c16fb1b7c7474861b45ce629fe963575162a00daede43bba8c059
Opcode Fuzzy Hash: 359f6a08ad9329e96712bb717ba99a1b12a3a194eff4dffcc3f17e34ae997bd3
Instruction Fuzzy Hash: F4519970F112079BEF64566CDA5476FA65BEBC9320F20482DF40AC73A8CA69CC4597A3

Function 06FC55D8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b9307415c6c2f331cee59c319b53ed711463180f0f23d26fbb04a68c9859ff
Instruction ID: 01e4a1f568336cabd87c6c624fbddb37ec6d2c78fab9b22a2dd76d7b6d884c9a
Opcode Fuzzy Hash: 21b9307415c6c2f331cee59c319b53ed711463180f0f23d26fbb04a68c9859ff
Instruction Fuzzy Hash: 82519474E1050A8FDF718A69C6C077EBBB2EF85320F24882DD059DB681C675F891EB91

Function 06FC5468 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931deafb488caaac396733ba3269da8115eb379b152c2a103d2c76a2483be5b4
Instruction ID: 249d8ed69f04633cbcab4b34e2000bb66e9318f1d4b9995a63af3b1a0fd9d2c4
Opcode Fuzzy Hash: 931deafb488caaac396733ba3269da8115eb379b152c2a103d2c76a2483be5b4
Instruction Fuzzy Hash: 7B413E71E0060A8FDF70CEA9D981AAFF7B6FB84324F10492AE116D7650D730F9658B91

Function 06FCD9C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835586b8c488900934ba74987ad8a54a224b50b5fe55ca093636ee56693499b7
Instruction ID: 1916e0edc81fcef76a3707b0373ca33f53ba5d3efee8cea168c06998bda47da0
Opcode Fuzzy Hash: 835586b8c488900934ba74987ad8a54a224b50b5fe55ca093636ee56693499b7
Instruction Fuzzy Hash: 5831B030E1060B9BDF24CF74D99069EBBB6FF85314F108539E405EB255EBB0A946CB81

Function 06FC20B0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542c94455cd71c9a3732c7ed156849aa218289e94be7dd480ef2f7d6af38bcae
Instruction ID: 85f05b5d2b4e6a0bb56ee15c05fe67161dfb2e8fce61b20bc090856a26019712
Opcode Fuzzy Hash: 542c94455cd71c9a3732c7ed156849aa218289e94be7dd480ef2f7d6af38bcae
Instruction Fuzzy Hash: A3317E30E1060ADFDB54CF68D99569EB7B2FF89310F108929E806E7350DB71AD42CB50

Function 06FC20C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d94be8c8d5d33bfdbbcfc64175bcd88639ae1931d1ca66b715661509d4bfa60
Instruction ID: ac948233332f25615652067ff8018ded13bc3771827c5f5b9518d30a95f19be4
Opcode Fuzzy Hash: 9d94be8c8d5d33bfdbbcfc64175bcd88639ae1931d1ca66b715661509d4bfa60
Instruction Fuzzy Hash: 13318E30E1060ADFDB58CF69D99569EB7B2FF89310F108929E906EB350DB71AD42CB50

Function 06FC3EF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2ae0f9dc45120ca29701db811a159acc9e21102eb08c52c42cfa983ba6f0bd
Instruction ID: 051b6c20364c069d1a3170604af9124789958a3a1abba3c00acf17b44d5f70c2
Opcode Fuzzy Hash: 3a2ae0f9dc45120ca29701db811a159acc9e21102eb08c52c42cfa983ba6f0bd
Instruction Fuzzy Hash: 85219AB2F002169FEB44CF69DA80AAEB7F5EB48360F108029E905E7380E735DC05CB91

Function 06FC3EE9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d99619725abde262c16c04938289fa421f25a0b92613480a2c962b1d32081e5
Instruction ID: 910659b2cb11e8cb44e0fdd48dffb9302dba250091e86d56d16a280249477bcc
Opcode Fuzzy Hash: 0d99619725abde262c16c04938289fa421f25a0b92613480a2c962b1d32081e5
Instruction Fuzzy Hash: 0C216DB6F102069FDB44CFA8D940AADB7F5EB48310F108429E905E7350E735D905CB91

Function 06FC5459 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc2546331d17a3ae7fa88a3498f94c254d0ecd524ed80dc0e2ea3188312e806
Instruction ID: c24bade404c89291562181291db4322ea0c94c7bc0a83ed286f6caef887a89d6
Opcode Fuzzy Hash: cfc2546331d17a3ae7fa88a3498f94c254d0ecd524ed80dc0e2ea3188312e806
Instruction Fuzzy Hash: 40219D71E0060A8BCF60DEA9CDC16AFFBF6FB88320F504929D116D6690D770B955CB90

Function 015AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1494313416.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_15ad000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7c84e2db78cd4bfe39d9e2a2ab4f1b97aeedd7f0c5366fb69fcca43e5b4049
Instruction ID: 9277939e988c5f69c6161af3e041922b52222dfec56e5163935b6c7d5d39a4d0
Opcode Fuzzy Hash: 9c7c84e2db78cd4bfe39d9e2a2ab4f1b97aeedd7f0c5366fb69fcca43e5b4049
Instruction Fuzzy Hash: 29214575184200DFCB11EF58C980B2ABFB1FB84314F60C56DE8090F656D336D406CA61

Function 015AD006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1494313416.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_15ad000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f90f428e03cd76ffba71d1f24a8c36bc265fb2e61158095158fe3c975aca1c3
Instruction ID: b7f1ed1b6ddf12153b78523c3d422cc2a6d0c5700f2b9b47e6ddb46b679dee2c
Opcode Fuzzy Hash: 3f90f428e03cd76ffba71d1f24a8c36bc265fb2e61158095158fe3c975aca1c3
Instruction Fuzzy Hash: C5216B751493C09FCB03DB64C990715BF71BB46214F29C5EBD8898F6A3D23A981ACB62

Function 06FC4008 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c24c382c64697bcb06fdf287e4ed4cc31001e5dccf3705ffd28c68c6a4af00
Instruction ID: 07a16720afaf12997889d7d2b8bf316c7f51c6fa483bf5f99e1d54263c404ce3
Opcode Fuzzy Hash: 38c24c382c64697bcb06fdf287e4ed4cc31001e5dccf3705ffd28c68c6a4af00
Instruction Fuzzy Hash: 1011E132B501298FDF54D678D8206AE73EAEBC8321F008439D50AE7344EE65CC068BE2

Function 06FC4240 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be8a18fff40f1ab4abe32c10eb51d9ac074929987b10fca053dd7d6428f6f39
Instruction ID: 44abc41fde4da3999ea76ae48ce708e6dbd43acf6413e56c6de0f01c6ae5d4b8
Opcode Fuzzy Hash: 9be8a18fff40f1ab4abe32c10eb51d9ac074929987b10fca053dd7d6428f6f39
Instruction Fuzzy Hash: 09012431F000120BEB58C5ADD97279BA2DAEBC4331F20843EE14AC7740EE65DC028390

Function 06FCF1F8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5feba2a30aabfd9e1c5fc7114c8d8484c3960f68746b66ee7647cf722ec4dd9
Instruction ID: 115b7b6d1470d02c082e4414fbaeb5df5b662735ef6ebcb777b51fa12b9eb588
Opcode Fuzzy Hash: f5feba2a30aabfd9e1c5fc7114c8d8484c3960f68746b66ee7647cf722ec4dd9
Instruction Fuzzy Hash: BD012F39F110124FDB6186B8A9617ABA7DBDFCA230F10886EF10AC7350EA24DC064391

Function 06FC3FF9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18f4a6e57274cbb3fc26b51b0396c0d3c250ddfc64ec7388fe4e345ad42b149
Instruction ID: 379affd503230fd318b04fdbe0f7e4c882dac7f3b282c29e42f817a868a31056
Opcode Fuzzy Hash: e18f4a6e57274cbb3fc26b51b0396c0d3c250ddfc64ec7388fe4e345ad42b149
Instruction Fuzzy Hash: 2901DF32F501264BEF549668D8206EF76EAEBC8321F005139D54AD3284EE648C0687E2

Function 06FCA350 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d6caec7c0d70f809dfce9f6ca787f669a1716db50a2a3cbff9f6781725f178
Instruction ID: 3b713fddf418dbaf94d62251946d65e778808b021e95f30bf146b0861e8ad8f1
Opcode Fuzzy Hash: 15d6caec7c0d70f809dfce9f6ca787f669a1716db50a2a3cbff9f6781725f178
Instruction Fuzzy Hash: 3A018430F1011A8BDB50D978D9A675F73E6E789720F204538E14AC7354EA2BFC028784

Function 06FC3CC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04d9e206e18c597a6694988cccd4af2dba8d73f6f2e1981f743c8ac69367140
Instruction ID: 8c3ef2c8b17cb3a9034fdd139cec8e96cae8f9a3ed4bf1953340cf2f9a6dff07
Opcode Fuzzy Hash: d04d9e206e18c597a6694988cccd4af2dba8d73f6f2e1981f743c8ac69367140
Instruction Fuzzy Hash: CC11B3B5D01259AFCB00DF9AD984ADEFFB4FB49310F10812AE918B7240D3756954CFA5

Function 06FC3CC0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac40ff04f99c7c03ad1dc913c43307da6df8af85918e170277bf145a9393e51
Instruction ID: 19ae34aaba6a5b16e98b16dd8d65165a85cdab201dd766484defefe5649b2256
Opcode Fuzzy Hash: 1ac40ff04f99c7c03ad1dc913c43307da6df8af85918e170277bf145a9393e51
Instruction Fuzzy Hash: C711D0B5D00219EFCB00DF99D984ADEFBB4BB48310F10812AE918B7210D374A944CFA5

Function 06FC4250 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d54d5993d4e13f2b89d787abf99aad2ec2bd8b326b474df08efd799f18b7b9d
Instruction ID: 62229079bab5c13614e2b5444691a41d11dd27cc3d3c8f686a44e4fab1b63277
Opcode Fuzzy Hash: 6d54d5993d4e13f2b89d787abf99aad2ec2bd8b326b474df08efd799f18b7b9d
Instruction Fuzzy Hash: 5501D131F104160BEB649ABDE572BAFA6DAEBC9731F10843EE10AC7344EE61DC024395

Function 06FCF208 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5277d433daadd94cf4399251cbcc2cb11ef25c579584528c77587032573a2b2
Instruction ID: dd43df51ef88c5897a4209caba5b3b600f65686ea07992aa01b54313e52bf1d0
Opcode Fuzzy Hash: f5277d433daadd94cf4399251cbcc2cb11ef25c579584528c77587032573a2b2
Instruction Fuzzy Hash: 2601D139F100124BDF6495BDA96076FA6D7DFC9630F10843EE10AC7350EE21DC024385

Function 06FCA360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edbeff32fe4ebc48a8b42b1e339a5b3ef866fd1a52aca36567701e607bcad1e
Instruction ID: 10a5d8396ae3c5be711301d82f7824fc19bea2d123906f90585c8065315a5f95
Opcode Fuzzy Hash: 5edbeff32fe4ebc48a8b42b1e339a5b3ef866fd1a52aca36567701e607bcad1e
Instruction Fuzzy Hash: 7F018630F1011A8BDB51DA78D96571F73D6FB89720F10842CE14AC7354EA27FC018785

Function 06FCC830 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a54190b28790b87d898e54a03d2340812d3b5a6d56a31d0845bd3d999da3a1
Instruction ID: cf7de57f57114fef75ed307d4b2105aa77778699c4dd600857ad2c4c521325fe
Opcode Fuzzy Hash: b1a54190b28790b87d898e54a03d2340812d3b5a6d56a31d0845bd3d999da3a1
Instruction Fuzzy Hash: F4F0A032E202699BDB54D965EC04A9AB739FB84364F104429EE05E7240DA36AC05CBD0

Function 06FC64C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d124b261bd5f6de9eb3ac609dd1d7fbe9fc6a93b35130c34e1e88ce4c34594
Instruction ID: b13e63a743e83ec5de4edf55a27e8a1b4d45f656d835d012541105ced4dc562c
Opcode Fuzzy Hash: 94d124b261bd5f6de9eb3ac609dd1d7fbe9fc6a93b35130c34e1e88ce4c34594
Instruction Fuzzy Hash: 1CE01271E1810EABDF60DEB4DB5575FB7ADFB02224F2088A9E408D7241E176DE018780

Function 06FC64B8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d693673ca222e119d5c53870e9b0dc7c42ebff8e8ebf2a4f63332dd7724fb0fa
Instruction ID: 048e6fcb3c16c914f4d7e67fe5ecc67b26a3e449357f471432b5d95e78b18350
Opcode Fuzzy Hash: d693673ca222e119d5c53870e9b0dc7c42ebff8e8ebf2a4f63332dd7724fb0fa
Instruction Fuzzy Hash: BAE02031D1D39A5BEB51CB64C6153597764EB03238F1485DFE854CB182C179CF06CB81

Non-executed Functions

Function 06FC76E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FC7BB0
$_q, xrefs: 06FC7824
$_q, xrefs: 06FC7BBC
$_q, xrefs: 06FC7C5B
$_q, xrefs: 06FC77F3
$_q, xrefs: 06FC7C71
$_q, xrefs: 06FC7C65
$_q, xrefs: 06FC77FF
$_q, xrefs: 06FC7C4F
$_q, xrefs: 06FC7830

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-698649689
Opcode ID: 985fb6f8c5a35dbfc5a38a4f2ba455f6a1344009542c2c1df1f4b696b8495c5e
Instruction ID: 8681a7aae0804be5eebd1fd87abe2c66d7b07fdcc87a30a93c2996956dc843c0
Opcode Fuzzy Hash: 985fb6f8c5a35dbfc5a38a4f2ba455f6a1344009542c2c1df1f4b696b8495c5e
Instruction Fuzzy Hash: 4D122C30E0021ACFDB68EF65C994A9EB7F6FF84314F208569D409AB264EB319D45CF81

Function 06FCA980 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FCAA76
$_q, xrefs: 06FCAB08
$_q, xrefs: 06FCAAFC
$_q, xrefs: 06FCAADD
$_q, xrefs: 06FCAB32
$_q, xrefs: 06FCAA82
$_q, xrefs: 06FCAB3E
$_q, xrefs: 06FCAAD1

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: 86b98e77c756f781b04db569d552f480fcfeadb6c3b560c44933179569084ae6
Instruction ID: c185fe1b12f6295c61f0f1ce3c27c5b99e2bbb7d087000fd2733f4827744c881
Opcode Fuzzy Hash: 86b98e77c756f781b04db569d552f480fcfeadb6c3b560c44933179569084ae6
Instruction Fuzzy Hash: CD913870E0020EDFEB68DB64DA94BAE77B6FB84314F10852DE40297294DB75ED45CB90

Function 06FC70E8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FC75FC
$_q, xrefs: 06FC75F0
$_q, xrefs: 06FC73CA
$_q, xrefs: 06FC7430
$_q, xrefs: 06FC7584
$_q, xrefs: 06FC7424
.5wq, xrefs: 06FC7143

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-3129995876
Opcode ID: eafafe1a4a9d25cfd6796bba7e778062879cbd0b8b8f6ee398abf3f5844fe819
Instruction ID: 9096d62104da5ca8fbddea41f4c11e06fb04493028b83134de8855f7370b3f39
Opcode Fuzzy Hash: eafafe1a4a9d25cfd6796bba7e778062879cbd0b8b8f6ee398abf3f5844fe819
Instruction Fuzzy Hash: 13F14D70B00206DFDB58EF68C594AAEB7B6FF84310F248569D4059B3A8DB35AC46CF91

Function 06FC8418 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FC867E
$_q, xrefs: 06FC8672
$_q, xrefs: 06FC86E3
$_q, xrefs: 06FC86D7

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: b6be0536439dfc87da30ec67722c21c3a11743c59007f2439ac1e4a4eff01f53
Instruction ID: b9bc332b49076989d33fdc94fbe631024b7bca3d9005bf9c2ff27a40053e4f4e
Opcode Fuzzy Hash: b6be0536439dfc87da30ec67722c21c3a11743c59007f2439ac1e4a4eff01f53
Instruction Fuzzy Hash: 1CB13A30E1020ACFDB58DF68C6946AEBBB6FF84350F248569D4169B3A4DB74DC46CB90

Function 06FCAD08 Relevance: 5.2, Strings: 4, Instructions: 176COMMON

Download Yara Rule

Strings

$_q, xrefs: 06FCAE8C
$_q, xrefs: 06FCAE39
$_q, xrefs: 06FCAEBB
$_q, xrefs: 06FCAEE4

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: 136fc996040171ae10dbdf0072dfee34b9fb44532d1f69f6274881a821d201d2
Instruction ID: 649d7b2734ff490c349a5f0b723aabad7bc76edfed981cf2959dc973849a51b3
Opcode Fuzzy Hash: 136fc996040171ae10dbdf0072dfee34b9fb44532d1f69f6274881a821d201d2
Instruction Fuzzy Hash: 89518030E1020ACFDF65DB68DA806AEB7B6FB84321F14856AE805DB354DB35EC45CB91

Function 06FC8830 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR_q, xrefs: 06FC8972
$_q, xrefs: 06FC88AF
LR_q, xrefs: 06FC8923
$_q, xrefs: 06FC88BB

Memory Dump Source

Source File: 0000000C.00000002.1503133014.0000000006FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6fc0000_adobe.jbxd

Similarity

API ID:
String ID: LR_q$LR_q$$_q$$_q
API String ID: 0-2912794808
Opcode ID: 0e40ca290d74cdd7396b16d84e50eae5654af81d7acb75552783b2115c2c7f66
Instruction ID: 709a6d44f9b66c2f7185ee912cba2790164d00e0cdcebbfafe3e895f0ea683f8
Opcode Fuzzy Hash: 0e40ca290d74cdd7396b16d84e50eae5654af81d7acb75552783b2115c2c7f66
Instruction Fuzzy Hash: E151A030B002039FDB58DB28CA90A6A7BE6FF84354F14856DE416DB3A9DB35EC05CB91

Analysis Process: adobe.exePID: 7888, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	47
Total number of Limit Nodes:	5

Executed Functions

Function 0163B0D0 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0163B326

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3c810205728e834e92190b4646a32201e2232a907b34e98a37f14dd84640475e
Instruction ID: fbc1390a8997350ef89833b93d634538ca559b140c924a5424af5ce1a6db60b2
Opcode Fuzzy Hash: 3c810205728e834e92190b4646a32201e2232a907b34e98a37f14dd84640475e
Instruction Fuzzy Hash: 98710070A00B058FD724DF69D99476ABBF1BF88300F108A2DD48ADBB50DB74E949CB90

Function 01634248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016359C9

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 510e9ac5bfa24aff73c5a5a9217a121eab605e6d3d79905ecf85480eefa5b492
Instruction ID: 18f5df1fcc7c72244890a9fb037e28bb446e969f84d26e778179a1fd896ce3df
Opcode Fuzzy Hash: 510e9ac5bfa24aff73c5a5a9217a121eab605e6d3d79905ecf85480eefa5b492
Instruction Fuzzy Hash: 3E41C1B0C0071DCBDB24DFA9C884B9EBBB5BF89304F60816AD409AB255DB756946CF90

Function 0163590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016359C9

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b172de1ddd977b897984728c5417e490ae54aa2d58ca900aa8ae48e6b1204137
Instruction ID: 11e44566c22103e58511bdc8b3695d98fbe0fe73a686d40c707a4f4bad6063a1
Opcode Fuzzy Hash: b172de1ddd977b897984728c5417e490ae54aa2d58ca900aa8ae48e6b1204137
Instruction Fuzzy Hash: 3341E0B1C0071DCBDB24CFA9C9847CEBBB5BF49308F20806AD409AB265DB756946CF50

Function 0163CC30 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0163D566,?,?,?,?,?), ref: 0163D627

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 340e00d43e64c1668ceb1afb46f2589f82684a2153fc0b61c60b43add747250a
Instruction ID: 02a57777af598134de2cb1c1bcde92a363b96da36f7351545e3c54f49645203d
Opcode Fuzzy Hash: 340e00d43e64c1668ceb1afb46f2589f82684a2153fc0b61c60b43add747250a
Instruction Fuzzy Hash: AC21E4B5D00258AFDB10CFAAD984ADEBFF4EB48310F54845AE918B3350D374A954CFA4

Function 0163D599 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0163D566,?,?,?,?,?), ref: 0163D627

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 773a706cf15f7cecf29c3170b6c8885daedb0565b2d531ceddb79956c4d4ab51
Instruction ID: ec975994f76bec8f827edb681e53da16383f6d769f8fb7b42e59fd30bb5ee33d
Opcode Fuzzy Hash: 773a706cf15f7cecf29c3170b6c8885daedb0565b2d531ceddb79956c4d4ab51
Instruction Fuzzy Hash: C521E2B6D00208DFDB10CFAAD985ADEBBF4FB48310F14845AE918A3310D378A944CFA4

Function 0163B2C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0163B326

Memory Dump Source

Source File: 0000000E.00000002.1495868332.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1630000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 786f9375bbad83465411e6fb9f51943c870c894313268e5cec55f31b1a4f0ca6
Instruction ID: e716e67f3a2935f6b83b5f9472be2f048ead9913fde92778f1bb411790c06f6c
Opcode Fuzzy Hash: 786f9375bbad83465411e6fb9f51943c870c894313268e5cec55f31b1a4f0ca6
Instruction Fuzzy Hash: 0311FAB68003498BDB10DF9AD844A9EFBF4AB88320F10856AD929B7210C379A545CFA1

Function 05707438 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0570939D

Memory Dump Source

Source File: 0000000E.00000002.1498771925.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5700000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 55609b5c42e6161d826f792ca76feaef9460a186bb79bdd5dafe29609eccf821
Instruction ID: 05a31cd868dc31c4808eb505e0f3cf8b396256cda8b442954c582d780314dc98
Opcode Fuzzy Hash: 55609b5c42e6161d826f792ca76feaef9460a186bb79bdd5dafe29609eccf821
Instruction Fuzzy Hash: A011F2B5804348DFCB10DF9AD884BDEFBF8EB48310F108459EA19A7281C375A944CFA5

Function 0570933A Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0570939D

Memory Dump Source

Source File: 0000000E.00000002.1498771925.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5700000_adobe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 800d67daa43cb237f6b859c0e333542fe23800415584b860d59e5f0a922556ef
Instruction ID: d881a3a83acb7bf0e9e94ab44abbe935f0c49a2672db167742042117f133482b
Opcode Fuzzy Hash: 800d67daa43cb237f6b859c0e333542fe23800415584b860d59e5f0a922556ef
Instruction Fuzzy Hash: 7C11F2B58042489FDB10DF9AD885BDEFBF8EB48310F10845AE918A3241C375A944CFA1

Function 0570629C Relevance: 1.3, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,05706C49,?,?), ref: 05706DF0

Memory Dump Source

Source File: 0000000E.00000002.1498771925.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5700000_adobe.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 713febdd9bf00b0674c22a1b48d4ef59b5004d3c189a22f979141937f18a92ca
Instruction ID: 9ab12b1f71d2f32b1f9e2bd1cc07fc3b2d460176aa6621cba2e797037b39790f
Opcode Fuzzy Hash: 713febdd9bf00b0674c22a1b48d4ef59b5004d3c189a22f979141937f18a92ca
Instruction Fuzzy Hash: 8B1125B1804359CFCB20DF99C585BDEBBF4EB48320F108469D559A7240D378A954CFA5

Function 05706D91 Relevance: 1.3, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,05706C49,?,?), ref: 05706DF0

Memory Dump Source

Source File: 0000000E.00000002.1498771925.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5700000_adobe.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b13a1f912591f11af4b0df997094ea743f5a2ffa5784dcf5034778b68b1f4adc
Instruction ID: e41ab4e5fce8e8925bfed8ee0f5a17d362a34fb5786c0e18de99ed05521c1b59
Opcode Fuzzy Hash: b13a1f912591f11af4b0df997094ea743f5a2ffa5784dcf5034778b68b1f4adc
Instruction Fuzzy Hash: 461136B2804349CFDB10DF99C585BDEBBF4EB48320F108469D559A7340D338A944CFA5

Function 015BD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1494911299.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_15bd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96426af4a7c8ca707c63ca333b46ea7af5bc1362e7f13b24d8695ebf73ca0cf
Instruction ID: e81118485c787faa1a959ae35a7836b8c52c5b6d0616656bb9792cb958dd1888
Opcode Fuzzy Hash: f96426af4a7c8ca707c63ca333b46ea7af5bc1362e7f13b24d8695ebf73ca0cf
Instruction Fuzzy Hash: A821E2725042809FDB05DF98D9C0B6AFFB5FB88328F208569E9090E256C336D416CBA1

Function 015CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1495022092.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_15cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f04f344ad2d6fc58dfb7eab32a9f36901a90b6cf0cfa38eb6e0de8d1f8d273
Instruction ID: 522faa1e9cc5b23b31190032b483e57eb050a36e4630bece3db2e2f1efeea674
Opcode Fuzzy Hash: 61f04f344ad2d6fc58dfb7eab32a9f36901a90b6cf0cfa38eb6e0de8d1f8d273
Instruction Fuzzy Hash: 1421F1755042049FCB15DF9CD580B26BBB5FB84714F20C97DE80A9F256D33AD406CAA1

Function 015CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1495022092.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_15cd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47770725511828683d556fa3ffb441634aaa9d9b60e781f7a456aa2873d1ee12
Instruction ID: c08a7402d4137aa2a1b6f28cf35e3a04623f740a04b74744715830d990c4c2cc
Opcode Fuzzy Hash: 47770725511828683d556fa3ffb441634aaa9d9b60e781f7a456aa2873d1ee12
Instruction Fuzzy Hash: D521AF355083808FCB02CF68C594715BF71FB46214F28C1EAD8498F6A3C33A980ACBA2

Function 015BD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1494911299.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_15bd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
Instruction ID: 2109a0231af8e615ba89e55d81e3ee3e2d94d7c9bb190d2bbf89a1571c592cb8
Opcode Fuzzy Hash: 21e913fbe4a6093fe52002ebff3728cbe293fe76fa7d723964536c1d21f6342d
Instruction Fuzzy Hash: 9F219D76504284DFDB06CF54D9C4B5AFF72FB84324F24C5A9ED090A656C33AD42ACBA1

Analysis Process: adobe.exePID: 7924, Parent PID: 7888COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 06442788 Relevance: 9.0, Strings: 6, Instructions: 1496COMMON

Download Yara Rule

Strings

$_q, xrefs: 06443BDC
$_q, xrefs: 06443BD0
$_q, xrefs: 06443C00
$_q, xrefs: 06443BA7
$_q, xrefs: 06443BB3
$_q, xrefs: 06443BF4

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: 99d18b93664587286e0778a3f336ceab95de544062486913751bebf0f607e2d0
Instruction ID: 999536ccd234ce0938a0d814ff41973f9ae65b824e66d38450eca687d1dd194c
Opcode Fuzzy Hash: 99d18b93664587286e0778a3f336ceab95de544062486913751bebf0f607e2d0
Instruction Fuzzy Hash: 47D26B34E006058FDB65EF65C485A9EB7F2FF89300F5485AAE409AB365DB70ED85CB80

Function 0644B280 Relevance: 8.3, Strings: 6, Instructions: 770COMMON

Download Yara Rule

Strings

$_q, xrefs: 0644BC25
$_q, xrefs: 0644BBF1
$_q, xrefs: 0644BC65
$_q, xrefs: 0644BBFD
$_q, xrefs: 0644BC59
$_q, xrefs: 0644BC31

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-155944776
Opcode ID: 877bca5ded7c8503353a87f0c09f223f6cbe6872f967bd82cf1c02bd43ae2581
Instruction ID: a9b247a856e2d864ddc20ebd53a6c93e66bd066fb1bee3061e7d22d6ff63ea16
Opcode Fuzzy Hash: 877bca5ded7c8503353a87f0c09f223f6cbe6872f967bd82cf1c02bd43ae2581
Instruction Fuzzy Hash: CE526D30E102098BEF65EB68D5817AEB7F2FB45310F24886AE405EB395DB35DC85CB91

Function 06447DC8 Relevance: 3.0, Strings: 2, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 06448111
$_q, xrefs: 06448105

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 461a7de577572cae315862699b5750a746b9b63a1d2f9429c782882f2cac2a81
Instruction ID: 056eab01111d49ae217a39130960ae21ed339a594f4e6cda5d4d4bbc08eee387
Opcode Fuzzy Hash: 461a7de577572cae315862699b5750a746b9b63a1d2f9429c782882f2cac2a81
Instruction Fuzzy Hash: 0102BD30B002058FEB59EB64D9957AEB7E2FF84304F25856AE409DB795DB31EC46CB80

Function 064455E8 Relevance: 1.8, Strings: 1, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06445939

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 099379aab524a22ae893e56819074cef606bb2dcdf486d14efb00c707e7fce89
Instruction ID: 12b7b0826e814fa71018980934a160146fa83083cf1bf8423d471661177c7af3
Opcode Fuzzy Hash: 099379aab524a22ae893e56819074cef606bb2dcdf486d14efb00c707e7fce89
Instruction Fuzzy Hash: 4C22E275E002049FEF69EBA4C4816AFBBF2EF84314F24846AD409EB344DA35DD46CB91

Function 06446638 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690c98811c67d18ef91466ca45783be16a510a35c6657b0abb0c83ee6e7a25ec
Instruction ID: 37cd453fbb54fae468e4c6ee9e8825fd69b1dd612a53140f796bfede2be11d5c
Opcode Fuzzy Hash: 690c98811c67d18ef91466ca45783be16a510a35c6657b0abb0c83ee6e7a25ec
Instruction Fuzzy Hash: B562AF34B002048FEB55EB68D585BAEB7F2EF89314F25846AE405EB354DB35ED46CB80

Function 0644C1D8 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fd401c53d2f0dec0b520d715aa0c935910a121f87f1c56ae90eb7851121346
Instruction ID: 15365b232d01f51b54c89db92f8a0b955548aa14460a6c1afe220a15ab1ea75c
Opcode Fuzzy Hash: 90fd401c53d2f0dec0b520d715aa0c935910a121f87f1c56ae90eb7851121346
Instruction Fuzzy Hash: 19329D30A112059FEB55EB68D9C1BAEB7B2FB88310F14856AE405EB355DB35EC42CB90

Function 0644AD18 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 0644AE45
$_q, xrefs: 0644AEC7
$_q, xrefs: 0644AEBB
$_q, xrefs: 0644AE8C
$_q, xrefs: 0644AEE4
$_q, xrefs: 0644AE98
$_q, xrefs: 0644AE39
$_q, xrefs: 0644AEF0

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: acaeda5d25a1ff6b36f1ae66db0a0050c1466a0daa52cfe29b8ae793ef9c84b8
Instruction ID: 227c818ae09f50852b358c46739dd082eba660325b367b7b85b9a6ab07947b3e
Opcode Fuzzy Hash: acaeda5d25a1ff6b36f1ae66db0a0050c1466a0daa52cfe29b8ae793ef9c84b8
Instruction Fuzzy Hash: D3E16030E5020A8FEB69EB65D5856AEB7F2FF85304F20852AE4159B359DF30DC46CB81

Function 06449198 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 0644921A
$_q, xrefs: 064491EB
$_q, xrefs: 06449226
$_q, xrefs: 064491DF

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: cfce0d73c55c0bd0619e93eeb12f58d2a12ea9a554da30adc4775a8ceba520d0
Instruction ID: 8b700aad539ef3be3dd244fdbcb70068c695c4867503ffd979df45366e7bbb2f
Opcode Fuzzy Hash: cfce0d73c55c0bd0619e93eeb12f58d2a12ea9a554da30adc4775a8ceba520d0
Instruction Fuzzy Hash: E2915D70B0061A9FEB54EF64D9517AFB7F6BF88300F10856AD419EB348EA309D46CB91

Function 0644CFA0 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 0644D397
$_q, xrefs: 0644D39F
$_q, xrefs: 0644D3AB

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q
API String ID: 0-2441406858
Opcode ID: 3aaf4a0c3382f091fd5c12dd86e69c680f177f0b5275b4a2b615fd0e93f2bfe3
Instruction ID: 5c018a4dc775537c3593683c13cff6ccd93504c98c1fe6a0e515459011c44a6a
Opcode Fuzzy Hash: 3aaf4a0c3382f091fd5c12dd86e69c680f177f0b5275b4a2b615fd0e93f2bfe3
Instruction Fuzzy Hash: 63624F30A106068FDB55EF68D591A5EB7F2FF84304F248AA9D0059F369DB71ED4ACB80

Function 06444BB0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Odq, xrefs: 06444D8B
fdq, xrefs: 06444BDB
XPdq, xrefs: 06444D01

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: fdq$XPdq$\Odq
API String ID: 0-727959394
Opcode ID: 1364009fb1392a7c4664fbd696ccee20524ae60a516c3b35a80f7c9959271b86
Instruction ID: 5589f37b7f4775b5e6f93ba64ccc1caaeba70dcd0cd25f5b1784dc6c5aced680
Opcode Fuzzy Hash: 1364009fb1392a7c4664fbd696ccee20524ae60a516c3b35a80f7c9959271b86
Instruction Fuzzy Hash: 90617E70F002189FEB54AFA4C8557AEBBF6FB88700F20842AE106EB395DF754D458B91

Function 06449188 Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_q, xrefs: 0644921A
$_q, xrefs: 064491DF

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q
API String ID: 0-458585787
Opcode ID: 7904fc9edcbca5c3d3d2763386e43fc41837db797e7305226c606b09ed7febd5
Instruction ID: 35c9f530fe1ec5aaf38aab5b10d333f114a09158f0ecd75dd4207cd6b94e244b
Opcode Fuzzy Hash: 7904fc9edcbca5c3d3d2763386e43fc41837db797e7305226c606b09ed7febd5
Instruction Fuzzy Hash: 87516170B006069FEB54EB74D9A17AF73F6BB88310F10856AD419DB398EA30DD02CB91

Function 06444BA0 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fdq, xrefs: 06444BDB
XPdq, xrefs: 06444D01

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: fdq$XPdq
API String ID: 0-3173836435
Opcode ID: 331ad37e17d8a646d066df806bee9760b0a3d2f4fc57c7afa1ad8ac92a226eef
Instruction ID: 41d942607bb5fc6d6369a4faf1d7185f34548c9562e4fef6bec938cf3c5733e1
Opcode Fuzzy Hash: 331ad37e17d8a646d066df806bee9760b0a3d2f4fc57c7afa1ad8ac92a226eef
Instruction Fuzzy Hash: 60518374F002089FEB589FA4C85579EBBF2EF88700F20842AE105EB395DF758D058B51

Function 00C2EE04 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00C2EE8F

Memory Dump Source

Source File: 00000010.00000002.3742891028.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c20000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f9415c9e38644aa829f8aae96d48357e945d0eb921fa7e53ecd77d1f83dea728
Instruction ID: f82248431559b7755c0936458fa711190a00397cd1d7a46b8cde52a901b22809
Opcode Fuzzy Hash: f9415c9e38644aa829f8aae96d48357e945d0eb921fa7e53ecd77d1f83dea728
Instruction Fuzzy Hash: 3A2134B1C046599FCB10DFAAD44879EBBF4AB08310F12856AD818B7640D378A945CFA1

Function 00C2EE28 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00C2EE8F

Memory Dump Source

Source File: 00000010.00000002.3742891028.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_c20000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9f8cd8fc5ab689157130c05ddd260813e5178852919039f985e379f0e9e9e7de
Instruction ID: c17eca0639db0a4b76fabbe983144e60a824fbceece63722e9a3a2f61fd90214
Opcode Fuzzy Hash: 9f8cd8fc5ab689157130c05ddd260813e5178852919039f985e379f0e9e9e7de
Instruction Fuzzy Hash: 8811EFB1C006699BCB10DFAAD544ADEFBF4AB48320F15856AE818B7640D378A944CFA5

Function 0644DB28 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH_q, xrefs: 0644DC71

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 6ff8524067850132ab3651a1aca6c291b0c68e2c3f293c0cc80d19ca81ff7203
Instruction ID: ffdacf95eb82cc08b6886fe217f2fb5914c059d967cc07f5130dd95e4f2fd734
Opcode Fuzzy Hash: 6ff8524067850132ab3651a1aca6c291b0c68e2c3f293c0cc80d19ca81ff7203
Instruction Fuzzy Hash: 8B418070E106099FEB55EF65C89579FBBB2AF85300F20492AE405E7344DFB49946CB81

Function 0644DB15 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0644DC71

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: d6bb4dfc8fddcf3c7b71308e0c8c7d2ffc7976d75130b31642e87fa4d4979068
Instruction ID: 4714f362cc885825b32a291565c3810ffed5721de10f37619874bbc2e34a4c93
Opcode Fuzzy Hash: d6bb4dfc8fddcf3c7b71308e0c8c7d2ffc7976d75130b31642e87fa4d4979068
Instruction Fuzzy Hash: 7741B230E106099FEB65EF65C89169FBBB2FF85300F24492AE405E7350DBB4D842CB81

Function 064421ED Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0644233B

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 652565d603b8be0bf54a3270bfddaa6bf9032da598f816748889b3bbfe6a3201
Instruction ID: 4fc8655aedef0dc2c2f8da83dbad3fa7cf1ef7d7291f88b80ed415a3ef2656ff
Opcode Fuzzy Hash: 652565d603b8be0bf54a3270bfddaa6bf9032da598f816748889b3bbfe6a3201
Instruction Fuzzy Hash: A231F230B102018FEB5AAB74C5557AF7BE2AF88300F24456AE406DB395DFB9DE06C791

Function 06442200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH_q, xrefs: 0644233B

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: PH_q
API String ID: 0-2397113591
Opcode ID: 88120955410e896ea48ccd58a4c6c0fb6af25edb9d304e60840e29d3eb60b72a
Instruction ID: 992668357848edaa1db91dabaaa271e06d9b0cf2f4854ccdc1954aa9c30511b1
Opcode Fuzzy Hash: 88120955410e896ea48ccd58a4c6c0fb6af25edb9d304e60840e29d3eb60b72a
Instruction Fuzzy Hash: 92310430B102059FEB59AB74C55576F77E2BF88300F244429E406DB394DEB9DE06C791

Function 06444A99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Odq, xrefs: 06444AA5

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: \Odq
API String ID: 0-4257893106
Opcode ID: f819b883c20217b627d55693550b7c580356a2c68fea65ebd19f345ccd7314bc
Instruction ID: c6441b9b4cce2fda7dfc19d6424aac36064931aec17cd7c4edf7b3c2d150699f
Opcode Fuzzy Hash: f819b883c20217b627d55693550b7c580356a2c68fea65ebd19f345ccd7314bc
Instruction Fuzzy Hash: 20F0F430A64119DFDB14DF94E85A7AE7BF2FF44705F200116E402A7294CB751D01CB80

Function 0644B26F Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29174ea28bc00abaca434795c27bab700d2acc1985c378900b92e9c31ab523f3
Instruction ID: 9c1c95aabc57369a9f9ba743aa5d98978c8a0f98960bf5a04d5dc1854e34a427
Opcode Fuzzy Hash: 29174ea28bc00abaca434795c27bab700d2acc1985c378900b92e9c31ab523f3
Instruction Fuzzy Hash: E7B18634F002099BFF65EA68D5957AFB7F6EB89310F20882AE405EB395CA34DC45C752

Function 06446230 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f838816a866e26e564ed12779330fcc3ca887309af7274edd1bb7da656ab2b3
Instruction ID: feab3367c19bb662cc1265bab2c60fa25adcfd475703bb4ca020ee80bd93df2a
Opcode Fuzzy Hash: 0f838816a866e26e564ed12779330fcc3ca887309af7274edd1bb7da656ab2b3
Instruction Fuzzy Hash: 2F61B0B1F400114FDF55AA7DC8806AFBADBAFD5224B26443AE80EDB364DE65DD0287C1

Function 064442E2 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d658af9d71cb88651b11f9d18f6e08a056c4a581b0a09daebee0c059888c77
Instruction ID: 917a4db05eb0b138174fa1ecc90864385b609d1532271f0ee347ab98db1a2922
Opcode Fuzzy Hash: 21d658af9d71cb88651b11f9d18f6e08a056c4a581b0a09daebee0c059888c77
Instruction Fuzzy Hash: 2C813B30B106098FEF55EFA4D5557AEB7F2EB84304F108529E40AEB798EB70DC468B91

Function 064442F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b495749657ce113c8475514cae80a477068bcb86166669fc464b58a46310acdb
Instruction ID: 28521d7156be09dc0c406af6c8d3cb04543d28f6bf8d480d74df3799b57a79a3
Opcode Fuzzy Hash: b495749657ce113c8475514cae80a477068bcb86166669fc464b58a46310acdb
Instruction Fuzzy Hash: 95812B30B106098BEF55EFA5D45579EB7F2EB84304F108529E40AEB398EB74DC46CB91

Function 06444600 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a834b3cfab5953c0045268c12644da24eb60ae03812771e15bdbee34d03e67b
Instruction ID: 0f7d7402fc40bc7bd86859c3161245a784189eb218a7125dc8708965d62a5bf8
Opcode Fuzzy Hash: 1a834b3cfab5953c0045268c12644da24eb60ae03812771e15bdbee34d03e67b
Instruction Fuzzy Hash: 2E914D34E106198BDF51DF64C880B9EB7B1FF89310F208696D449BB395DB70AA85CF91

Function 06444618 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f6241483a3fec96c26a57ad328d34212a87868c35f70517cb9f0d91db77887
Instruction ID: d9cfe2fbeb6c59d701e8a28fff32d0196d823e38ad2cef0e6626969c87d8d9ba
Opcode Fuzzy Hash: 47f6241483a3fec96c26a57ad328d34212a87868c35f70517cb9f0d91db77887
Instruction Fuzzy Hash: 6B913034E106198BDF64DF64C880B9EB7B1FF89310F208596D549BB355DB70AA85CF90

Function 0644EF88 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e6ed2675ba0cf1af340de2a6a7e313ff7ce662ff092cac78fae88249d0b592
Instruction ID: 17e3e6c271f3263b27351c7dfc2e6a30868652eefe01a0646e4eab3bc985d182
Opcode Fuzzy Hash: a7e6ed2675ba0cf1af340de2a6a7e313ff7ce662ff092cac78fae88249d0b592
Instruction Fuzzy Hash: 08712F70A001099FEB54EFA9D991A9EBBF6FF84304F24856AE005EB355DB30ED46CB50

Function 0644EF78 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0627cdd334d05435fac882951167502a028261bbdaa9630aecd56d9639097ac7
Instruction ID: c84a6dd7950c2fde118f92b6b9d98afcfe70b26d8eb86c079da282cad5c09c7c
Opcode Fuzzy Hash: 0627cdd334d05435fac882951167502a028261bbdaa9630aecd56d9639097ac7
Instruction Fuzzy Hash: FB712F70A001099FDB54EFA9D991A9EBBF6FF88300F24856AE005EB355DB30ED46CB40

Function 0644FC20 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d5f9743a275bc13388149b7e5624e28e9c425bff83a38b51757119b994c498
Instruction ID: 90931145bd3559e8cd2d8cbf65d4fc654979ad4af4ea6ca53df04d2d490ff68a
Opcode Fuzzy Hash: 12d5f9743a275bc13388149b7e5624e28e9c425bff83a38b51757119b994c498
Instruction Fuzzy Hash: 4251D331E001059FEF94FB78E4866AEB7B2FB84315F20886AD106D7351DF359849CB81

Function 0644F9C1 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c9dc67bbe7094d2c926c48e24a8749695f20b7cdb9eb76478fd275306930f3
Instruction ID: d6856741cce8f7179bf8ca6897c69666f13d0d6ef17cfde3e136ac86d121771f
Opcode Fuzzy Hash: 09c9dc67bbe7094d2c926c48e24a8749695f20b7cdb9eb76478fd275306930f3
Instruction Fuzzy Hash: 2B511A30B202419BFFA5666CD855B2F3A56D7C9300F20486BF00AD73E9CA38CC4983A2

Function 0644F9D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab7c2364b7927457abf0b4a7acc2dc380f1ec53a02bf029a0581acae032d36a
Instruction ID: 3cda705731d79caad48835b1c13998cad5c02ff7bc22f20f71cf1ad371f20bc7
Opcode Fuzzy Hash: 7ab7c2364b7927457abf0b4a7acc2dc380f1ec53a02bf029a0581acae032d36a
Instruction Fuzzy Hash: E151E830B202059BFFA5766CD955B2F365AD7C9310F20486AF40AD37E9DA79CC4943A2

Function 064455D8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3239fd9c7e35788871bd4f8ec1831186611a35aafe26b0b4190ee0cbb598e3a5
Instruction ID: 662d747e19becd715b0d56126d2e4d9d4d7b675b7d4d2c26497782941fc0a306
Opcode Fuzzy Hash: 3239fd9c7e35788871bd4f8ec1831186611a35aafe26b0b4190ee0cbb598e3a5
Instruction Fuzzy Hash: 28517574E142058FEF7AAA68C58177FBBB2EB45310F24882BD059DB395C635D842CB91

Function 06445468 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444c53b27467311b3fd75b9f0e4d0a768aabc17ff8ebbe02595d4d5b6a943353
Instruction ID: 13ffd190f66b66bcba26ea17f195beb735937cb2ae1435121ad2c6a67a3e6668
Opcode Fuzzy Hash: 444c53b27467311b3fd75b9f0e4d0a768aabc17ff8ebbe02595d4d5b6a943353
Instruction Fuzzy Hash: 67412A71E006098FEF65DEA9D882ABFBBF2FB84310F10492AE116D6654D330E955CB90

Function 064420B0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d2182b023b5564b8bfb0f52807f7b8548db4797ebd444c050134205fb4de21
Instruction ID: acee6dd34a5cb72286814f4355a787e2b9e3cda9bf410ec5f356ad99be55c02f
Opcode Fuzzy Hash: 40d2182b023b5564b8bfb0f52807f7b8548db4797ebd444c050134205fb4de21
Instruction Fuzzy Hash: 81318F34E106099FDB19DF64D89569FBBF2AF89300F10891AE81AEB354DB71AD42CB50

Function 0644D9C8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd301250492501ad0ede4893d992658728b6a1f3526d35340b07e4d72923f40c
Instruction ID: 23f901f54226c590ef2984b017b2281695f65376d9e0e7a68718cf99b4d0da2f
Opcode Fuzzy Hash: fd301250492501ad0ede4893d992658728b6a1f3526d35340b07e4d72923f40c
Instruction Fuzzy Hash: AB31A330E1060A8BDF25EF64D98169EB7B6FF84304F14896AE405FB354EB70A946CB80

Function 064420C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e110e855b87726474b5a278d3aaf181d68517a892a5eabf540470ed21c891714
Instruction ID: 199a510cb1973ef05a204a4e3a0b485ea016b1da5b32bfdb9756bbae9e39fec1
Opcode Fuzzy Hash: e110e855b87726474b5a278d3aaf181d68517a892a5eabf540470ed21c891714
Instruction Fuzzy Hash: 7B318030E106099FDB59DF64D89569FFBF2AF89300F10892AE816EB354DB71AD42CB50

Function 06443EE9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9454dbf00444a2496e6f2145d56425120ba4d16e7fdc81d947317a276e1e47d0
Instruction ID: 3f90eb00f8d2b344a0882b3cd6fd7deee8a5ff01af14cde1066792b8838a32bf
Opcode Fuzzy Hash: 9454dbf00444a2496e6f2145d56425120ba4d16e7fdc81d947317a276e1e47d0
Instruction Fuzzy Hash: A021A075F156059FEB11DF6AE841AAEBBF6AB48710F108026E905E7354D734DC018B91

Function 06443EF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5f2be79645c6439b904707eb8d2c568863af1d82452dbc410b087c4a9f1bad
Instruction ID: ee258868368a10b356918a7512ed61af8435240f3496613475038c06ed20280c
Opcode Fuzzy Hash: 1f5f2be79645c6439b904707eb8d2c568863af1d82452dbc410b087c4a9f1bad
Instruction Fuzzy Hash: D7219F75E056159FEB51EF6AE941AAEBBF2EB48710F108026E905E7344E730DC01CB91

Function 0644545A Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af37404f1819acbde1d663bc4aa44cb8ebb47f40fa6818dc4433c76c3d67a282
Instruction ID: 834fec947a06785683af3c2542806f0bddb1977e33e340a90b78b7b113ffc65c
Opcode Fuzzy Hash: af37404f1819acbde1d663bc4aa44cb8ebb47f40fa6818dc4433c76c3d67a282
Instruction Fuzzy Hash: BC219031A006099FDF65DFA9C8826AFBBF2FF85310F10492AD115DB254D370A945CB90

Function 00B5D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3742031328.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_b5d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd3650c1750cfc004a5236c1fb9e50f958fd1618b502002607264361cfcfbb9
Instruction ID: 1bbbf74c559e39dee76f7877348dbea0e89581cc8e0fbe5a4e5f2b2af10820f8
Opcode Fuzzy Hash: 8dd3650c1750cfc004a5236c1fb9e50f958fd1618b502002607264361cfcfbb9
Instruction Fuzzy Hash: 18212571504204DFDB20DF14D9D0B26BBA5EB84314F28C6EDED094B296C33AD84BCA61

Function 00B5D005 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3742031328.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_b5d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac3b894549699959a8ed3f0f36da9f9b7a71a8068f57913d7e58f029f641bf4
Instruction ID: db697180568fd18741acef1adba325b2c1495b24485adf38aefeedac16418eca
Opcode Fuzzy Hash: fac3b894549699959a8ed3f0f36da9f9b7a71a8068f57913d7e58f029f641bf4
Instruction Fuzzy Hash: 2E2151715093C49FD713CB24D994711BF71EB46214F29C5DBD8898F2A7C23A981AC762

Function 06446D60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d54b747a9825631468d7a7e528879555d3cd6fb3d57b3afbc5577ef0e8bfd6a
Instruction ID: 3c582e701a507c9ec283b31d210121a3a79be4fadb05c3f2d8494cdfb0f0ce69
Opcode Fuzzy Hash: 9d54b747a9825631468d7a7e528879555d3cd6fb3d57b3afbc5577ef0e8bfd6a
Instruction Fuzzy Hash: 6B21E430F101189FEF44EB69E55169EB7F7EB85310F24842AE405DB344DB31AD428B80

Function 064434A8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89762a3f42b22061bd1ee041f3aec5c1d35d1811e4c10e9a6db8845c05164d3e
Instruction ID: c46e421d67af42abbaea0ce24abf7245285f5be216feff7bfbfb6842cf41765f
Opcode Fuzzy Hash: 89762a3f42b22061bd1ee041f3aec5c1d35d1811e4c10e9a6db8845c05164d3e
Instruction Fuzzy Hash: 8A118171E002289BDB59EF6AD8826DEB7F5EB89710F14856AE009E7344DA31D941CF90

Function 06444008 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704f48dcaf940567d9742cc51fa03b168b4c44cc84007e9c59c791f18ce1717f
Instruction ID: 74eda981e10048834eacb152316aa8a733ae85190947b76ce28e3b284653534f
Opcode Fuzzy Hash: 704f48dcaf940567d9742cc51fa03b168b4c44cc84007e9c59c791f18ce1717f
Instruction Fuzzy Hash: 13110835B144259FEF58A678D8116AF73E6EBC9311F00813AD406EB344EE71CC0287D2

Function 06444240 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c19d231c9215a39d3664d07fee9f81174ed0df93b7d5f4146819020cb35e1b
Instruction ID: 63f69d5684cdf77ad4836f5b976097b686273485c7a7657245367ca17fc25e25
Opcode Fuzzy Hash: 83c19d231c9215a39d3664d07fee9f81174ed0df93b7d5f4146819020cb35e1b
Instruction Fuzzy Hash: 46012475B004110FEB9AAABC94527EB67D7EBC9721F20842BE10AC7395EE20DC0347A5

Function 06443FF8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff603aa782bbb45baa7d42c7188db2f69c97692b55dcd92157193e1f1947d60
Instruction ID: 661ae4d0d40d9c9ae9417351a5aaf7e55e02cd6dca3bc31079ac79ae1601448f
Opcode Fuzzy Hash: 5ff603aa782bbb45baa7d42c7188db2f69c97692b55dcd92157193e1f1947d60
Instruction Fuzzy Hash: 0401D436B144255BEFA9A668E8117EF77E7EBC9301F04413AD119E7394EE618C0387E2

Function 06443CC0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585338f94208d3a65e7b2b7006d6da4d99a0edb422d7aae9b00aea516434174d
Instruction ID: e3dcb02adb620cf0c5755fabdf090b7332e613c1d9244e154ef6ce5f804ab80b
Opcode Fuzzy Hash: 585338f94208d3a65e7b2b7006d6da4d99a0edb422d7aae9b00aea516434174d
Instruction Fuzzy Hash: 7821D3B5D01259AFDB00DF9AD985ADEFBB8FB08314F10812AE918B7310C3746554CFA5

Function 0644A350 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d5bda2bfd1ebd4d3a66a6b5a3ee70476b393a49a283ddadc4bd3c1d2f479eca
Instruction ID: 963df4506513e39615f8c31a730116cb407392863e5dea661410ec835d7bc444
Opcode Fuzzy Hash: 0d5bda2bfd1ebd4d3a66a6b5a3ee70476b393a49a283ddadc4bd3c1d2f479eca
Instruction Fuzzy Hash: 3501D471B545004FEBA6EA3CD85279F77D2EB85710F10463AF00ACB758EA21DC438781

Function 06443CC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce237b0a44e20facab05cceba1ba5baa0c44e93df184dbaa9e2ba0097f984873
Instruction ID: b72a763607852450aba9456856d72ac842ff4c8d538ef9b71094f6f45c64df22
Opcode Fuzzy Hash: ce237b0a44e20facab05cceba1ba5baa0c44e93df184dbaa9e2ba0097f984873
Instruction Fuzzy Hash: 8511D0B5D01259AFCB00DF9AD885ACEFBB4FB48710F10812AE918B7200C375A954CFA5

Function 06444250 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f27df6403cbb36189d1fdbef1bb8283e08382ce2d2bc05388aa0c5fdb7c961
Instruction ID: 47d008a72f16785a35056045ebe749f2fb83c7ec548b5b24f850a0b1face639a
Opcode Fuzzy Hash: 43f27df6403cbb36189d1fdbef1bb8283e08382ce2d2bc05388aa0c5fdb7c961
Instruction Fuzzy Hash: ED01D130B104150BEB69A6ADD452BEFB6DAEBC9721F20843BF10EC7394EE61DC024394

Function 0644F1F8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf31404bacd36db146039ce3b8f537134010fb82edbb0cb198fb92b2cbf6d2ef
Instruction ID: 9eae6587778ba7413bb3981e844b09b40512132eb0562c87e73f75b6d0b6e361
Opcode Fuzzy Hash: cf31404bacd36db146039ce3b8f537134010fb82edbb0cb198fb92b2cbf6d2ef
Instruction Fuzzy Hash: 51012B79F144514FDB96E6B8A85276F77C6DBC8620F14C42BF00AC7364EE25CC024391

Function 0644F208 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa348c663a37a2c02e0fa61f5d7c7053d418174504e42823ecccde35041b2a7
Instruction ID: 8e05a11ccecaff4521006a4f2b839e5cfa9227eb415b93957dfe1ec2ee2dcfd5
Opcode Fuzzy Hash: 5aa348c663a37a2c02e0fa61f5d7c7053d418174504e42823ecccde35041b2a7
Instruction Fuzzy Hash: C801D138B104100BDBA9E5BCA85276F77D6EBC8620F10843AF10AC7364EE62DC024785

Function 0644A360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaed8da8dbc41af30c289a7e99ff14b2607f981101b5062f3feb5cd66f324ead
Instruction ID: cc522e25ccbc22248204d1fca20b9f08a077a76a35c53e0c6e0a73a9c56e4c6a
Opcode Fuzzy Hash: eaed8da8dbc41af30c289a7e99ff14b2607f981101b5062f3feb5cd66f324ead
Instruction Fuzzy Hash: 15018130B105158FEB65EA78D456B1F73D6EB89B10F10852AF10ACB758EA21DC428780

Function 064464B8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b53d5e1409f9fa4f210ace22c2c329b03b190f6e808b6e8f5087e0e2d339c8
Instruction ID: 98dbd2b5fbabd235b8fe2ba513632271c27e9e8e886ef983ada821d4ef6c3bea
Opcode Fuzzy Hash: f6b53d5e1409f9fa4f210ace22c2c329b03b190f6e808b6e8f5087e0e2d339c8
Instruction Fuzzy Hash: 65E0D871E181485BFF61DAB0CB5635B3764EB03214F2049F7D804D7202D179CE01C780

Function 064464C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d124b261bd5f6de9eb3ac609dd1d7fbe9fc6a93b35130c34e1e88ce4c34594
Instruction ID: c64c60c0240e4165ae3bf007827a1c26ce1f96cdfb51181064f6d68c0cd7a3de
Opcode Fuzzy Hash: 94d124b261bd5f6de9eb3ac609dd1d7fbe9fc6a93b35130c34e1e88ce4c34594
Instruction Fuzzy Hash: 66E08C70E1020CABFF60EAA0CA1675B73ACE702244F2188A6D408C7201E1B6CA018380

Non-executed Functions

Function 064476E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$_q, xrefs: 06447C5B
$_q, xrefs: 06447C71
$_q, xrefs: 064477FF
$_q, xrefs: 06447C65
$_q, xrefs: 06447BB0
$_q, xrefs: 06447824
$_q, xrefs: 064477F3
$_q, xrefs: 06447830
$_q, xrefs: 06447BBC
$_q, xrefs: 06447C4F

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-698649689
Opcode ID: 24aa154c7d76876cf4f33a281503ae9a4086541180018847f6b4d56bc8173dcc
Instruction ID: 38377cd2c758dd5f94f991021cf2f97afe80c89983fc38e0a9e66317031822fb
Opcode Fuzzy Hash: 24aa154c7d76876cf4f33a281503ae9a4086541180018847f6b4d56bc8173dcc
Instruction Fuzzy Hash: F9122F30E00619CFEB65EF65C955A9EB7F2BF88304F20856AD409AB365DB309D46CF81

Function 0644A980 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$_q, xrefs: 0644AB3E
$_q, xrefs: 0644AA76
$_q, xrefs: 0644AB08
$_q, xrefs: 0644AAFC
$_q, xrefs: 0644AB32
$_q, xrefs: 0644AA82
$_q, xrefs: 0644AADD
$_q, xrefs: 0644AAD1

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-2216122830
Opcode ID: 5fe5b234ce038dc00cf9631a9ef70b58b8bf6d83a9b84b658da570bed5f11835
Instruction ID: e0f81099386576197c011ffde68a35752edebd34c896e815ae87ac86c8b2e186
Opcode Fuzzy Hash: 5fe5b234ce038dc00cf9631a9ef70b58b8bf6d83a9b84b658da570bed5f11835
Instruction Fuzzy Hash: 90918230A44209DFEBA9EF65D586B6F77F2BF44300F20852AE401AB359DB749D85CB90

Function 064470E8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5wq, xrefs: 06447143
$_q, xrefs: 06447424
$_q, xrefs: 064475F0
$_q, xrefs: 06447584
$_q, xrefs: 06447430
$_q, xrefs: 064473CA
$_q, xrefs: 064475FC

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: .5wq$$_q$$_q$$_q$$_q$$_q$$_q
API String ID: 0-3129995876
Opcode ID: db94f88c4b805e002f9a8266372b68d4c36d946365b09caaeea5158385b7dfcb
Instruction ID: c00025ff81b1496496408f6231fbd29bcd91eb07800c39db6b4bf9ab9e3f0847
Opcode Fuzzy Hash: db94f88c4b805e002f9a8266372b68d4c36d946365b09caaeea5158385b7dfcb
Instruction Fuzzy Hash: 88F15E30B05605DFEB59EF68D595A6EBBB3BF84300F24856AE4059B769CF349C42CB80

Function 06448418 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$_q, xrefs: 064486E3
$_q, xrefs: 0644867E
$_q, xrefs: 06448672
$_q, xrefs: 064486D7

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: f2eee5436ecfe44f6739f4abbfde3dc246c2470e8e72509559f4220e0370d3d0
Instruction ID: 14e86d84f57fd2911961fb6cce2cc4fd25162828a3eef5c23a079b65fdcd0327
Opcode Fuzzy Hash: f2eee5436ecfe44f6739f4abbfde3dc246c2470e8e72509559f4220e0370d3d0
Instruction Fuzzy Hash: 6EB16B30E10219CFEB69EF68D99566EB7F2BF84300F24846AD4059B359DB74DC82CB80

Function 0644AD08 Relevance: 5.2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

Strings

$_q, xrefs: 0644AEBB
$_q, xrefs: 0644AE8C
$_q, xrefs: 0644AEE4
$_q, xrefs: 0644AE39

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: $_q$$_q$$_q$$_q
API String ID: 0-1171383116
Opcode ID: 6fd1c04cfabb6f24c84a60ca6c23d242afc17233f2d44dd02342af382745ab55
Instruction ID: 63e211d9b72ffd939e3081cc37f4846b3c75b1712ac7a5a81635a573a55dd273
Opcode Fuzzy Hash: 6fd1c04cfabb6f24c84a60ca6c23d242afc17233f2d44dd02342af382745ab55
Instruction Fuzzy Hash: AF51A470A512058FEF66EB64D4826AEB7F3FB48301F24856BE8159B359DB30DC82CB51

Function 06448830 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR_q, xrefs: 06448923
$_q, xrefs: 064488BB
LR_q, xrefs: 06448972
$_q, xrefs: 064488AF

Memory Dump Source

Source File: 00000010.00000002.3760133056.0000000006440000.00000040.00000800.00020000.00000000.sdmp, Offset: 06440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6440000_adobe.jbxd

Similarity

API ID:
String ID: LR_q$LR_q$$_q$$_q
API String ID: 0-2912794808
Opcode ID: 72caef63f66ddb7a281986c8180b2b278cd0eaa9804f7c8a943e4b2a14f2ab4c
Instruction ID: 4910f2333b0bfd05ae3ff0535201664512c0986340663b16d500f2b5a4d99093
Opcode Fuzzy Hash: 72caef63f66ddb7a281986c8180b2b278cd0eaa9804f7c8a943e4b2a14f2ab4c
Instruction Fuzzy Hash: E151B430B006029FEB59EB24C992B6A77F6FF84700F14856AE4159F3A9DB71EC05CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HBL BLJ2T2411809005 & DAJKT2411000812.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\adobe.exe.log

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
HBL BLJ2T2411809005 & DAJKT2411000812.exe

Function 02FDD349 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 02FDD358 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 02FDB0D0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 02FD590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 02FD4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02FDD5A0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02FDD599 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02FDB2C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre